The US Computer Emergency Readiness Team is advising users of Firefox and Opera users to disable WebGL. An exploit means that machines can be remotely controlled by malicious users.
The webstandard WebGL has a weakness which opens the browsers to serious attacks, including the remote execution of malicious code, according to independent research consultancy firm Context Information Security.
This technology first made an appearance in Version 9 of Chrome and has been recently added to Firefox 4. WebGl is also included in builds of Opera and Safari.
Context researcher James Forshaw says “Based on this limited research Context does not believe WebGL is really ready for mass usage. Therefore Context recommends that users and corporate IT managers consider disabling WebGL in their browsers.”
WebGL is a new technology to allow the browsers to render 3G graphics by accessing graphics hardware. Research shows that malicious webpages could actually exploit serious issues such as blue screens of death and even to steal sensitive data. Malware could also be executed causing long term security problems.
A Google spokesperson issued a statement:
“Many parts of the WebGL stack, including the GPU process, run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks. To help ward off lower level attacks, we work with hardware, OS, and driver vendors to proactively disable unsafe system configurations and help them improve the robustness of their stack.
I’d also point out that Chrome doesn’t run on some system configurations if lower level stack issues are identified. This is a key intermediate step to help protect Chrome users.”
US-CERT have also said to disable WebGL. Very little information is currently available to show how this can be disabled, but here are some guidelines.
For Chrome, go to the command line of the OS and add –disable-webgl flag to the Chrome command. On a Windows machine, the command line should be “chrome.exe –disable-webgl”. Firefox 4 users should add ‘about:config’ into the address bar and set webgl.disabled to true.
KitGuru says: Hopefully patches will be coming soon to address this serious security risk.