Last week Microsoft issued a blog post stating that Internet Explorer will not support WebGL because WebGL is inherently insecure. The post was based on research conducted by the firm Context, which showed that WebGL could be used for denial of service attacks or use the GPU to run malicious code. Microsoft complained that WebGL is too reliant on third parties (ie, GPU vendors) to secure the Web experience.
The only problem, according to Chrome developer Gregg Tavares (not speaking on behalf of Google), is that Silverlight 5 has the exact same vulnerability. Microsoft says it has fixed the vulnerability and the fix will appear in the next beta release.
Microsoft’s alternatives to WebGL are Silverlight and its hardware accelerated implementation of HTML5 (which it calls “native HTML5”) standards in Internet Explorer 9 and 10. Also, WebGL is based on OpenGL, which competes with Microsoft’s DirectX technology.
Tavares writes:
We studied this issue in depth at Google and we’ve proven there is no way you can limit the features of access to the GPU enough to prevent this and still have useful access to the GPU. You can cause this with or without shaders. As long as you can submit geometry to the GPU you can cause this problem.
Fortunately there are solutions. The simplest solution is to time how long the GPU is taking to execute each task. If it’s taking too long reset the GPU and kill the page that issued the command. Microsoft Windows is one of the only OSes that currently provides this solution. They should be proud of this. They can basically claim the best place to run WebGL is on Windows. The Khronos group is working to bring similar functionality to other OSes as fast as possible and it may already be available in some drivers.
Tavares’ position is that Silverlight is just as dependent on third party vendors as WebGL is, and that Microsoft is the company that could do the most to ensure cooperation from vendors.
A Silverlight DoS vulnerability has been submitted as a bug to Microsoft by Mozilla developer Benoit Jacob. Here’s part of the exchange that followed:
Microsoft: Thank you for reporting and helping to ensure a quality release. Silverlight 5 is currently in Beta. Security hardening and the complete implementation of the security plan happens over the full course of product development. DoS issues such as this are addressed in an upcoming release.
Benoit Jacob: I look forward to the final Silverlight 5 with the fix for this DoS, but in the meantime I am curious as to what the fix consists of?
As far as I can see, any fix would have to involve working with GPU vendors toward making 3D APIs more resilient to DoS. The WebGL working group has been doing exactly that ( http://www.khronos.org/webgl/security/ ). If Microsoft is doing the same, it would be nice to work together on this front.
Microsoft: To clarify the earlier statement, DoS mitigations are implemented in current internal builds and will ship with Silverlight 5 RTM.
In other words, Microsoft claims to have a fix, but won’t say what it is (somewhat understandably).
My take: The security claim regarding WebGL is a new one from Microsoft. Previously, it has argued that developers simply didn’t want WebGL. Considering the high level of interest from developers, in the comments here and elsewhere, I’d say there’s actually a clear demand from developers for WebGL support in Internet Explorer. Now that the demand for WebGL has become harder to deny, Microsoft is switching to the security claim.
That said, Microsoft does need to be very careful about security, as its reputation for security has been remarkably poor. There are real security issues that the Khronos Group needs to work out with GPU vendors, and it’s reasonable for Microsoft to say, as it did, that it will not support the technology in its current form.
Still, this seems disingenuous since it seems clear that Microsoft had no intentions of supporting WebGL in the first place.
Disclosure: Microsoft is a ReadWriteWeb sponsor.
