More security problems for WebGLContext highlights additional WebGL vulnerabilities and raises more questions for Khronos
By: Context Information Security The findings are published today along with videos in a Context blog at: http://www.contextis.com/ Context’s original investigations discovered design level security issues that provide a ‘back-door’ “While Mozilla has taken steps to mitigate the original vulnerabilities and will fix this latest threat in the new version of its browser, scheduled for release on 21 June, we believe this is the tip of the iceberg for the difficult adoption of this immature technology, leaving users vulnerable,” “The fact that security-related Khronos conformance tests are not clearly identified has been a contributory factor in security issues being missed by developers of the current browser implementations of WebGL,” adds Jordon. “It would be unreasonable to expect full conformance to the complete specification of any new standard but some areas of WebGL need to be carefully implemented to prevent security issues arising. Browser developers should now start banning non-conformant configurations as they are identified until the security issues that have been highlighted are resolved.” Context’s research also found that Khronos’ recommended defence against the Denial of Service issue, WebGL_ARB_robustness, is not fit for purpose. It is only supported by certain chipsets and operating systems such as NVidia on Windows and Linux, and the extension only offers mitigation and not a comprehensive solution to WebGLDoS issues. The risks from WebGL depend on the web browser, operating system and graphics card being used. WebGL is currently supported only on Firefox and Chrome and currently users of Internet Explorer, Safari or Opera are not vulnerable to WebGL issues. “We would advise anyone at risk to disable WebGL until the security vulnerabilities have been addressed,” added Jordon. “We have been working with developers of the Firefox plug-in NoScript (http://noscript.net/ The full Context blog including two videos can be seen at: http://www.contextis.com/ About Context Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Issued by: Context Information Security, Tel: + 44 (0)20 7537 7515 email: blogs[at]contextis[ www.contextis.com For more information for editors, please contact: Peter Rennison / Allie Andrews PRPR, Tel + 44 (0)1442 245030 / 07831 208109 pr[at]prpr[dot] Distributed on behalf of PRPR by NeonDrum news distribution service (http://www.neondrum.com) # # # NeonDrum is a targeted online news release distribution and monitoring service for PR professionals. Our mission is simple: to boost your online news coverage and get you seen on the web by the people that matter. End
|
|
Account Phone Number