On May 9, Context, a company specializing in computer security, published a note on its website detailing various vulnerabilities found in WebGL. They help to plant a remote machine or making screenshots without the knowledge of the user. Despite the efforts of Khronos, the publisher of WebGL is an opinion that is increasingly shared.
Chrome and Firefox integrates the API by default. It can be enabled in Safari, but requires a manipulation of the user. It seems that most of these problems are inherent in WebGL itself. This is not a bad integration of browser vendors, but the API that would be too permissive. A video posted on the company's website shows the operation of two security vulnerabilities.
The first overload the graphics card and cause a fatal error. The second allows to acquire data on the target computer. The response of Khronos has not been expected, he explained that there are functions around these issues, as the "GL_ARB_robustness" that prevents the excessive GPU. It should nevertheless they are used by manufacturers of graphics chips in the development of their drivers.
In addition, it does not answer all problems. Khronos is aware and has announced work on other solutions, but also affirms that vulnerabilities remain Context proof-of-concept. No site currently operates them. Yesterday, Microsoft has decided to join the discussion and it seems to err on the side of Context.
He denounced the laxity of the APIs and too much dependence on the drivers of graphics card manufacturers. Redmond has therefore refused to support him. Chris Marrin, an engineer at Apple, also indicated earlier this month on the mailing list of Khronos WebGL that will not be available to all developers iOS 5 and will only be reserved for the SDK iad, development tool for creating advertisements for iOS platforms.
There is no question of a version of Safari for integrating the IOS WebGL. We would however point out that the company has not issued a press release about it and it did not take an official position, as did Microsoft. It's simply the message of a charge on a mailing list. The WebGL is a library that extends the capabilities of JavaScript to exploit graphics chips systems.
The port of Quake and Doom are two good examples of what can be done in a browser, but the new security concerns could slow its popularization. 
Chrome and Firefox integrates the API by default. It can be enabled in Safari, but requires a manipulation of the user. It seems that most of these problems are inherent in WebGL itself. This is not a bad integration of browser vendors, but the API that would be too permissive. A video posted on the company's website shows the operation of two security vulnerabilities.
The first overload the graphics card and cause a fatal error. The second allows to acquire data on the target computer. The response of Khronos has not been expected, he explained that there are functions around these issues, as the "GL_ARB_robustness" that prevents the excessive GPU. It should nevertheless they are used by manufacturers of graphics chips in the development of their drivers.
In addition, it does not answer all problems. Khronos is aware and has announced work on other solutions, but also affirms that vulnerabilities remain Context proof-of-concept. No site currently operates them. Yesterday, Microsoft has decided to join the discussion and it seems to err on the side of Context.
He denounced the laxity of the APIs and too much dependence on the drivers of graphics card manufacturers. Redmond has therefore refused to support him. Chris Marrin, an engineer at Apple, also indicated earlier this month on the mailing list of Khronos WebGL that will not be available to all developers iOS 5 and will only be reserved for the SDK iad, development tool for creating advertisements for iOS platforms.
There is no question of a version of Safari for integrating the IOS WebGL. We would however point out that the company has not issued a press release about it and it did not take an official position, as did Microsoft. It's simply the message of a charge on a mailing list. The WebGL is a library that extends the capabilities of JavaScript to exploit graphics chips systems.
The port of Quake and Doom are two good examples of what can be done in a browser, but the new security concerns could slow its popularization.
No comments:
Post a Comment