Skip to main content
  1. Home
  2. Computing
  3. News

Mozilla spars with Microsoft over WebGL security

Geoff Duncan
By
WebGL general graphic
Image used with permission by copyright holder

Last week, Microsoft raised some hackles in the Web development community by claiming that there was no way to implement the WebGL open 3D graphics standard in Internet Explorer without exposing users to unacceptable potential security risks.

WebGL is a 3D graphics environment build on OpenGL 2.0, used for many 3D games and technologies, and promises to bring hardware-accellerated 3G graphics support to Web browsers. Google Chrome and Mozilla Firefox already support WebGL, and Opera and Safari are working on support. However, while Microsoft has made many strides with Internet Explorer 9—and is already showing off work on IE10— Internet Explorer offers no support for WebGL.

Recommended Videos

In a detailed posting, Microsoft outlined its primary reasons for considering WebGL a security risk: that WebGL exposes hardware functionality (e.g. video cards and processing) to Web content in an “overly permissive” way, that WebGL security servicing relies too heavily on third party components, and that today’s graphics systems were never intended to cope with shaders and 3D geometries that are specifically designed as attacks.

“We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities,” Microsoft wrote. “In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.”

Microsoft also cited two reports from Context Information Security that outlined security issued in WebGL.

Not surprisingly, WebGL supporters take issue with Microsoft’s position, and leading the charge for the moment is Mozilla’s VP of technical strategy, Mike Shaver, who notes that Microsoft seems to overcome all of the concerns it has over WebGL in its own Silverlight technology. Although Silverlight uses Microsoft’s own Direct3D technology on Windows, on Mac OS X Silverlight taps into OpenGL in pretty much the same manner as WebGL.

“I suspect that whatever hardening [Microsoft] applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well,” Shaver wrote. “That Silverlight supports Mac as well, where these capabilities must be mapped to OpenGL, makes me even more confident.”

Shaver acknowledges security issues in WebGL are real—including bugs that impact Firefox’s WebGL implementation. However, Shaver argues these issues are like security issues in any other technology and are being addressed by a responsible ecosystem of partners and developers.

“It may be that we’re more comfortable living on top of a stack we don’t control all the way to the metal than are OS vendors,” Shaver wrote, “but our conversations with the developers of the drivers in question make us confident that they’re as committed as us and Microsoft to a robust and secure experience for our shared users.”

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
How to draw on Google Docs to add doodles, sketches, and more
The Google Play Store, YouTube, and Google Docs installed on an Amazon Fire Max 11.

Word processing software isn’t the kind of tool that most users would consider exciting, which is why we’re glad to see companies like Google adding a little flair to its own products. We’re talking about Google Docs, a free-to-use word processor that’s part of your larger Google Account ecosystem. Basic formatting options and other familiar word processing functions are front and center on Google Docs, but the ability to add doodles, sketches, and other entertaining media to your next Docs file requires a special bit of know-how.

Read more
AMD’s upcoming APUs might destroy your GPU
AMD CEO Lisa Su holding an APU chip.

The spec sheets for AMD's upcoming APU lineups, dubbed Strix Point and Strix Halo, have just been leaked, and it's safe to say that they're looking pretty impressive. Equipped with Zen 5 cores, the new APUs will find their way to laptops that are meant to be on the thinner side, but their performance might rival that of some of the best budget graphics cards -- and that's without having a discrete GPU.

While AMD hasn't unveiled Strix Point (STX) and Strix Halo (STX Halo) specs just yet, they were leaked by HKEPC and then shared by VideoCardz. The sheet goes over the maximum specs for each APU lineup, the first of which, Strix Point, is rumored to launch this year. Strix Halo, said to be significantly more powerful, is currently slated for a 2025 release.

Read more
Hyte made me fall in love with my gaming PC all over again
A PC built with the Hyte Nexus Link ecosystem.

I've never seen anything quite like Hyte's new Nexus Link ecosystem. Corsair has its iCue Link system, and Lian Li has its magnetic Uni system, and all three companies are now offering ways to tie together your PC cooling and lighting devoid of extraneous cables. But Hyte's marriage of hardware, software, and accessories is in a league of its own -- and it transformed my PC build completely.

I've been using some of the foundational components of the ecosystem for about a week, retailoring a build inside of Hyte's own Y40 PC case to see how the system works. It doesn't seem too exciting at first -- Hyte released an all-in-one (AIO) liquid cooler, some fans, and a few RGB strips, who cares? But as I engaged more with the Nexus Link ecosystem, I only became more impressed.
It all starts with the cooler

Read more