drjbhl
Ramblings of an old Doc
WebGL Vulnerable to Security Breaches
Published on May 9, 2011 By DrJBHL In Personal Computing

 

 

Big deal. What’s WebGL?

WebGL (Web Graphics Library) is an in development standard specification defining a JavaScript API for writing web applications utilizing hardware accelerated 3D graphics.

So, this is quite upsetting to the makers of Firefox and Chrome and that’s because they use it in all their versions since 4.x and 9.x, respectively. OK, they’ll patch it. Nope. The very architecture of webGL is what makes it vulnerable, and that’s going to make it very hard to fix.

Your antiviral/antimalware protect the usual routes of attack. They don’t protect your graphics card. That’ll be the route of attack…. Haha! Dumb Windows usres! Switch to Mac!

Nope, Windows, Linux and Apple OS’s are all vulnerable – oh yes, the Safari currently under development is vulnerable too.

The flaws researched by UK consultancy Context Information Security are serious enough, the company said, to allow an attacker to compromise the attacked PC through the poorly defended graphics card layer, or at the very least crash the system to make it more vulnerable to exploits.

The company confirmed that it had been able to exploit systems using proof-of-concept attacks with certain graphics cards in a way -- kernel mode -- that breached the most secure ring of an OS. – PCWorld

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," said Context Research and Development Manager Michael Jordan.

Disabling WebGL in Firefox 4

Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the “about:config” command.

1. Type about:config in Firefox address bar and continue with warning dialog.

2. Type Webgl in the Filter box double click “ webgl.enabled_for_all_sites”  and set its value to False.

3. Restart Firefox browser, WebGL is now disabled in Firefox 4.

From Techdows.

I’ve looked for instructions on how to do the same for Chrome, but can’t find any… unless you’re a programmer working for Google.

Source: http://www.pcworld.com/businesscenter/article/227434/webgl_hit_by_hardtofix_browser_security_flaw.html


Popular Articles in this Category
Safe and free software download sites for windows
Keep an Eye Out!
A new and more functional PC Manager widget from MS
Popular Articles from DrJBHL
Safe and free software download sites for windows
A new and more functional PC Manager widget from MS
Comments (Page 2)
4 Pages1 2 3 4 
16
Disturbedcomputer
on May 09, 2011

tazgecko
reply 14
It works fine on my computer / palemoon.

could be a driver problem or firefox, I'll take it down anyway, DC ... we don't want people's programs crashing

no need to take it now right down it might just be my side

cause it is working in IE 9

just not my FF 4.0.1

17
Daiwa
on May 09, 2011

How's this:

webgl.disabled - set to true (default is false)

webgl.force-enabled - set to false (default is true)

Looks like that would have you covered.

Have no idea what osmesa is.

18
alaknebs
on May 10, 2011

off-screen Mesa

 

...whatever that is

19
Disturbedcomputer
on May 10, 2011

Daiwa
reply 17
How's this:

webgl.disabled - set to true (default is false)

webgl.force-enabled - set to false (default is true)

Looks like that would have you covered.

Have no idea what osmesa is.

 

was this for me? if so thanks for the info..

this one is good as my Default is False

webgl.force-enabled - set to false (default is true)

20
DrJBHL
on May 10, 2011

quoting post

 
 
 
Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the “about:config” command.
1. Type about:config in Firefox address bar and continue with warning dialog.
2. Type Webgl in the Filter box double click “ webgl.enabled_for_all_sites”  and set its value to False.
3. Restart Firefox browser, WebGL is now disabled in Firefox 4.
 


21
Uvah
on May 10, 2011

DisturbedComputer
reply 11
ok cool

 

I went to about:config but I do not have any that say (webgl.enabled_for_all_sites) so when you say this are you saying for all Webgl

here are the ones i do have

Preference Name            Status     Type     Value
 
webgl.disabled               Default   Boolean    False
webgl.force-enabled       Default   Boolean    False
webgl.force_osmesa       Default   Boolean    False
webgl.osmesalib             Default   String       
webgl.prefer-native-gl    Default    Boolean   False
webgl.shader_validator   Default   Boolean   True
webgl.verbose                Default   Boolean   False

 

EDIT

just so I am Clear do I set them all to True?

 

Only the top line DC. Set that one to true (just double click). The others stay the same.

22
StevenAus22
on May 10, 2011

Pale Moon doesn't have "webgl.enabled_for_all_sites" just "webgl.disabled".  So in this case I think Pale Moon 4 *is* different to Firefox 4.

Best regards,
Steven.

23
inthebloodofeden
on May 10, 2011

StevenAus
reply 22
Pale Moon doesn't have "webgl.enabled_for_all_sites" just "webgl.disabled".  So in this case I think Pale Moon 4 *is* different to Firefox 4.

Best regards,
Steven.

Yeh, I think in Pale Moon is enough to set "webgl.disabled" on True (by default is False, that means webgl is enabled)

24
Disturbedcomputer
on May 10, 2011

Uvah
reply 21
Only the top line DC. Set that one to true (just double click). The others stay the same.

 

thanks Uvah it is now set to true

25
Dr Guy
on May 10, 2011

Daiwa
reply 3
Same here for PaleMoon - no such entry in about:config.

Ok, reading more comments, I understand what you did not find.  Thanks all for clearing that up!

I found it - webgl.disabled;false  And it is disabled thankfully.  Thanks for the tip again Doc!

26
StevenAus22
on May 10, 2011

Actually in Pale Moon webgl.disabled must be true.  webgl.disabled being false means it *isn't* disabled (double negative).  Agreed it is quite confusing the way Pale Moon has done it, but basically the webgl option must be the opposite of the default, unmodded value in either Firefox or Pale Moon (that is, respectively, webgl.enabled_for_all_sites=false or webgl.disabled=true).

Best regards,
Steven.

27
Uvah
on May 10, 2011

In other words it means the same thing

28
DrJBHL
on May 10, 2011

StevenAus
reply 26
Actually in Pale Moon webgl.disabled must be true.  webgl.disabled being false means it *isn't* disabled (double negative).  Agreed it is quite confusing the way Pale Moon has done it, but basically the webgl option must be the opposite of the default, unmodded value in either Firefox or Pale Moon (that is, respectively, webgl.enabled_for_all_sites=false or webgl.disabled=true).

Best regards,
Steven.

StevenAus understood correctly.

29
happyboy7
on May 10, 2011

I'm not sure if this is at all helpful, but in doing a search to disable in Chrome, it was mentioned to issue a command line switch:

chrome.exe--disable-webgl

Not sure how to do this.  Hopefully someone will know.

30
Daiwa
on May 10, 2011

Wonder what the 'webgl.force-enabled' is all about.  The default for that is True in PaleMoon here.

4 Pages1 2 3 4 
Meta
Views
» 36541
Comments
» 46
Category
» Personal Computing
Comment
Recent Article Comments
Let's see your political mem...
LightStar Design Windowblind...
Let's start a New Jammin Thr...
A day in the Life of Odditie...
Safe and free software downl...
Veterans Day
A new and more functional PC...
Post your joy
AI Art Thread: 2022
WD Black Internal and Extern...
Sponsored Links
Terms of Service Privacy Policy About Us Contact Us Stardock.com
© 2024 Stardock Corporation. All rights reserved.
JoeUser v1.0.0.0