|Page (1) of 1 - 05/09/11||email article||print page|
Security flaws in new WebGL technology put PCs and data at riskResearch by Context Information Security shows design level security issues, which give potentially malicious web pages low l (May 09, 2011)
WebGL is currently supported on Linux, OSX and Windows operating systems, using Firefox 4, Safari and Google Chrome browsers. In addition to desktops and notebooks, WebGL is also being adopted for use in other devices including smart phones and is rapidly increasing in popularity.
"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," says Michael Jordon, Research and Development Manager at Context. "While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user's machine."
"We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure," adds Jordon. "In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers; but the only long term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks."
For more information on the security implications of the emerging WebGL technology, Context has today (9 May 2011) published a blog detailing the design level security issues within WebGL along with some examples of proof of concepts.
Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company's client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants.
The company's client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
Context Information Security, Tel: + 44 (0)20 7537 7515, email: blogs[at]contextis[dot]com
For more information for editors, please contact :
Peter Rennison / Allie Andrews
PRPR, Tel + 44 (0)1442 245030 / 07831 208109
pr[at]prpr[dot]co.uk / allie[at]prpr[dot]co.uk
Related Keywords:IT Security, Software Development, PC Security, WebGL, hacking
Source:Digital Media Online. All Rights Reserved