webgl Microsoft rejects WebGL over security concerns

Say what you want about Microsoft, but it is clear that the Redmond software giant is taking a very strong stance on security recently, especially after its experience in dealing with the security disasters that were Windows XP and Internet Explorer 6. In fact, so uncompromising is the company's stand that Microsift has decided to reject the open WebGL in favor of its own Direct3D technology for accelerating 3D graphics on browsers, in spite of it having voiced broad support for HTML5 and new web-based standards.

Read on to find out more…

When Microsoft officially released Internet Explorer 9 for the masses, there was much excitement over what appeared to be a new web browser from a company which, at the time, appeared to have finally seen the light with regards to open web standards. Indeed, at the time of its launch, Internet Explorer 9 was known to be the most standards-compliant browser ever released from Microsoft, and many are expecting that the upcoming Internet Explorer 10 is set to carry on the trend of what seems to be Microsoft's genuine efforts to embrace such standards.

However, it is also clear that the Redmond giant is still planing to draw a fine line between open standards and security, and is always more than ready to drop the former in favor of proprietary solutions if it does not match up to the company's own Security Development Lifecycle requirements. And one prominent aspect of HTML5 which has been unceremoniously given the boot from Microsoft is that of WebGL, which is a software library based on OpenGL ES 2.0 and designed to provide an API for the rendering of 3D graphics on a web browser via HTML5's canvas element.

webgl Microsoft rejects WebGL over security concerns

According to a recent post made on Microsoft's TechNet blogs, the engineering team over at Microsoft's Security Response Center (MSRC) made the decision not to endorse WebGL over three critical security flaws which it considers to be "harmful". The first flaw pointed out by the MSRC's team centers around the fact that WebGL's very nature allows the API to expose too much low-level information about a system and its accompanying hardware to  the Internet, up to a point where even Microsoft describes it to be "overly permissive". The posting also goes on to claim that Microsoft expects the large amount of information exposed in WebGL to result in the authoring of customized bugs "that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks".

The second flaw, as contended by Microsoft, is that WebGL is too dependent on third-party code in order to ensure that users are able to enjoy a proper web experience. In addition, Microsoft has also singled out video card drivers as one of the weakest links in WebGL security, claiming that some of the vulnerabilities in the standard "will not always manifest in the WebGL API itself",  and that "the problems may exist in the various OEM and system components delivered by IHV". The post also goes on to explain how most video card manufacturers tend to adopt a yearly update schedule for their hardware drivers, a practice which Microsoft has criticized as bring incompatible with "the needs of a security update process". And it seems that Microsoft may be right on this one, considering how Mozilla itself had to blacklist a large number of hardware configurations due to driver issues, even when running off Microsoft's own restricted Direct2D and Direct3D APIs. To further complicate matters, a recent study has confirmed that none of the current WebGL implementations in browsers today conform to the standards set forth by the Khronos group, which is a clear sign of just how immature the standard really is.

Last but not least, Microsoft claims that the reliance on insecure and buggy display drivers for use in WebGL will open doors to "problematic system denial-of-service scenarios", due to the fact that "modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry". The Redmond giant further believes that this will allow rogue websites "to freeze or reboot systems at will", which may have the potential to bring down "critical infrastructure".

With that said and done, it looks like Microsoft's stand on WebGL is as definitive as it can get. Until most major browser developers can agree on a universal implementation of WebGL that conforms to the Khronos group's specifications and graphics card manufacturers start ensuring that their drivers do not end up opening more holes in an operating system for hostile websites to attack from, WebGL is not going to get itself any love from the likes of Microsoft.

Source: Microsoft TechNet via Ars Technica