Press "Enter" to skip to content

Security Risk in Firefox & Chrome

Many of us who use Firefox or Chrome browsers do so for security reasons. Unfortunately, this lulls many of us into a false sense of security, as there’s really no such thing as “safe” browsing. This has become increasingly true in recent years, as major content providers have insisted that a feature rich web experience should trump security, with the folks at Mozilla and Google seemingly willing to lend a helping hand.

According to James Forshaw with the security firm Context, there is a new security threat to worry about in the form of WebGL, which is enabled by default in Firefox 4 and Chrome. According to Forshaw, the risk is substantial – both to your data and to your hardware. Just to give you an idea:

  1. A number of serious security issues have been identified with the specification and implementations of WebGL.
  2. These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
  3. Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
  4. These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
  5. Browsers that enable WebGL by default put their users at risk to these issues.

Forshaw goes on to recommend that WebGL not be enabled in Opera and Safari (where it’s disabled by default), and disabled in Firefox 4 and Chrome. However, disabling WebGL isn’t as easy as going to “Options” and unticking a check box, but requires (in Firefox) using the about:config command.

Directions for disabling WebGL in Firefox can be found at the Techdows web site. For disabling in Chrome, you’re on your own.

Breaking News: