A Blog From Behind the Trenches

Attack of the Bugs

Microsoft tries to step on WebGL, stumbles on its own feet

Wednesday, June 22, 2011 1:30:00 PM

, , , ,

The other day, Microsoft decided to speak out against WebGL. It's harmful to the web, they said.

To be more specific, they are worried about security.

Microsoft's position is not entirely unreasonable. There are always possible security concerns with new technologies. It is important to highlight these, and fix any problems (such as the recent WebGL vulnerability in Firefox).

But since when did a security flaw mean that we throw the entire piece of technology out? Operating systems and web browsers have been dealing with security problems for many years. It's not like this is new to Microsoft, so their criticism sounds more like FUD than anything else.

Indeed, Microsoft's criticism would sound a little less hollow if they weren't doing the exact same thing with Silverlight that they are criticizing WebGL over.

And lo and behold, a Denial of Service vulnerability in Silverlight 5 of the same type that Microsoft was overly concerned about with WebGL recently surfaced.

I'll quote the report here:

Recently Microsoft published an article about a WebGL DOS vulnerability:
http://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx

The same vulnerability exists in Silverlight 5, here's a proof of concept (warning, crashes your system)
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL/HelloWorld3D/Bin/Debug/HelloWorld3DTestPage.html

Normally I wouldn't file a Silverlight bug report about that since this really isn't specific to Silverlight (or WebGL, or any particular 3D API), but the above-mentioned Microsoft security article suggests that Microsoft thought that it would be WebGL-specific.


Ouch.

Double ouch.

To be clear, WebGL doesn't allow you to simply pass things directly to the driver. The browser "compiles" the source before it reaches the OpenGL (or Direct3D) driver. This seems to be similar to what Silverlight is doing. Even Flash 11 will be doing these things.

So when it all comes down to it, Microsoft looked at a problem, wrote a text on it, and made it sound like it was specific to WebGL. But the problem also exists in other 3D APIs, and yet Microsoft seems to think that WebGL is "harmful to the web" while Silverlight isn't?

Even people at Microsoft do not buy it. That's how convincing their "WebGL Considered Harmful" article is.

So, Microsoft, does this mean you are going to kill 3D support in Silverlight, or does it mean you will add WebGL support to Internet Explorer?

A little consistency would be nice, you know?

State of the Opera: Q1 2011HAPPY CAPS LOCK DAY!

Comments

Krio LythKriolyth Wednesday, June 22, 2011 2:06:27 PM

Guys at Microsoft must have had a template with %placeholders%, as virtually any software technology could fit into their article, not just WebGL. Still a lousy excuse for not willing WebGL into their own products smile

However, I wonder if this article is just something they want to start pushing their own technology with.

Ronit Kumarronitrex Wednesday, June 22, 2011 2:23:38 PM

But the claims opened by Microsoft do have a valid point, embedding security directly into Win Vista and 7 have made it more secure and robust.
Both Silverlight and Webgl in their current forms aren't secure. Silverlight 5 isn't out yet, and the functionality can change.

I found this on Ars Technica :

"""Case in point:
http://www.gamedev.net/topic/599552-my-code-is-displayed-at-the-terrain-s/

The OpenGL driver didn't bother with data validation or sanity checks. In this case the developer had accidentally set an invalid texture, causing the graphics card to read from a random place in VRAM - which was being used by Windows to store the contents of his IDE's window. I mean, in terms of security that's a pretty horrifying bug right there..."""



Charles SchlossChas4 Wednesday, June 22, 2011 2:26:35 PM

Microsoft has been recent found to lie slightly (bending the truth) on many recent things

I still find it funny how the Windows 8 Html 5 announcement angered so many silverlight developers (not a fan of silverlight since it has the only 4 browser support)

Martin RauscherHades32 Wednesday, June 22, 2011 2:29:00 PM

You forgot to mention that MS pointed out in the bug report you cited, that the final version of Silverlight 5 (which is currently just a Beta) doesn't have this vulnerability.

I don't think MS wants to harm the web - in that particular case at least. Especially as they don't have anything competing with WebGL. (I really wouldn't let SL count in that respect...)

The point they're trying to make was really the very first thing I thought, when I first heard, how WebGL works. And to be true, I still haven't heard somebody suggesting a really good solution to this problem.

So I would be really interested in how Opera and/or the Khronos gorup is going to handle this in the future

ChrisSlamdex Wednesday, June 22, 2011 2:58:53 PM

Originally posted by ronitrex:

Both Silverlight and Webgl in their current forms aren't secure. Silverlight 5 isn't out yet, and the functionality can change.

They patched Firefox vulnerability. How isn't WebGL secure? Do you know about any other vulnerabilities?

It doesn't matter that Silverlight 5 isn't out yet. They were clearly not concerned about this DoS situation even though they were all over WebGL for the exact same thing. FAIL. Hypocrisy!

"The functionality can change" is a terrible excuse. Sure, they could take out the 3D. Then they might actually restore some of their dignity again! But will they? Let's see if they will remove 3D from Silverlight 5!

Originally posted by ronitrex:

The OpenGL driver didn't bother with data validation or sanity checks.

Which part of "WebGL doesn't allow you to simply pass things directly to the driver" did you not understand? WebGL doesn't just send any random stuff to the driver. It's intercepted and recompiled.

ChrisSlamdex Wednesday, June 22, 2011 3:01:43 PM

Originally posted by Hades32:

You forgot to mention that MS pointed out in the bug report you cited, that the final version of Silverlight 5 (which is currently just a Beta) doesn't have this vulnerability.

So what? That's irrelevant to the point being made.

The point is that Microsoft was spreading FUD about WebGL while at the same time doing the exact same thing with a proprietary Microsoft plugin. They were caught with their pants around their ankles!

And notice how no one at Microsoft said anything about how they were going to fix it in Silverlight? So basically, all we have is yet another claim from a company known for its lies.

I don't think MS wants to harm the web - in that particular case at least. Especially as they don't have anything competing with WebGL. (I really wouldn't let SL count in that respect...)

Who gives a crap? The fact is that they are hypocrites, and were caught with their pants down.

The point they're trying to make was really the very first thing I thought, when I first heard, how WebGL works. And to be true, I still haven't heard somebody suggesting a really good solution to this problem.


If they solved it in Silverlight, why can't they solve it in WebGL?

Martin RauscherHades32 Wednesday, June 22, 2011 6:20:54 PM

Chris: Try to be little bit more adult.

Originally posted by Slamdex:

The point is that Microsoft was spreading FUD about WebGL while at the same time doing the exact same thing with a proprietary Microsoft plugin.


I'd call it a valid concern, as nobody has yet presented a way to fully secure WebGL. And their plugin (supposedly) doesn't have the problem in the Final version. Nobody cares what happens in pre-release software.

The point is: It's always easy to fix a single implementation. So even if a plugin has a vulnerability it's not so bad, because there is only one person having to create a fix.

I really hope the community comes up with a good way to secure WebGL, but it has to be something implemented in the standard, because otherwise every browser vendor has to make its own little workaround/fix which may or may not be correct.

It may after all still be the case, that MS decided to fuck with the WebGL community, but if you look at this a little less emotional you will see, that there is no proof of this yet. (Especially as they only stated to not support it YET!)

BTW: Also Ars Technica seems to share my opinion: http://arstechnica.com/microsoft/news/2011/06/microsoft-no-way-to-support-webgl-and-meet-our-security-needs.ars
while the response of the Khronos groups is not very insightful...

Kirilljarinkirill Wednesday, June 22, 2011 7:48:25 PM

The most interesting thing in this story is that first Opera's proposal of 3D canvas ( http://my.opera.com/timjoh/blog/2007/11/13/taking-the-canvas-to-another-dimension ) was about higher level API than WebGL.

Tony Parisitonyparisi1 Thursday, June 23, 2011 3:33:08 AM

Totally, they've been here before. http://tonyparisi.wordpress.com/2011/06/20/shades-of-chrome/

Charles SchlossChas4 Thursday, June 23, 2011 5:54:05 AM

Originally posted by Hades32:

Nobody cares what happens in pre-release software.


Well you don't want bugs to carry on to finals from a pre release

ChrisSlamdex Thursday, June 23, 2011 9:12:39 AM

Originally posted by Hades32:

I'd call it a valid concern, as nobody has yet presented a way to fully secure WebGL.

No one has yet presented a way to fully secure a web browser. So let Microsoft freely spread FUD about web browsers, right? No need to criticize their hypocritical FUD, right?

No one denied that security is a concern, but SECURITY IS A CONCERN WITH ANY PIECE OF SOFTWARE CONNECTED TO THE INTERNET. It's hypocritical and stupid of someone to criticize something and pretend that the criticism is uniquely valid for that, while at the same time producing a proprietary product with exactly the same capabilities and security concerns.

Seriously, it's not that hard. You seem hellbent on defending Microsoft, but you are doing very poorly, and resorting to red herrings and factual distortions.

Originally posted by Hades32:

The point is: It's always easy to fix a single implementation. So even if a plugin has a vulnerability it's not so bad, because there is only one person having to create a fix.

Yes, because IE (and Flash) has shown how great it is to rely on a single implementation! Great example, Hades32.

Single implementation equals a single point of failure.

Multiple implementations is much more secure because a hole in one of them won't usually expose the other ones.

Originally posted by Hades32:

It may after all still be the case, that MS decided to fuck with the WebGL community, but if you look at this a little less emotional you will see, that there is no proof of this yet. (Especially as they only stated to not support it YET!)

I'm not sure how you could misunderstand the comment: "WebGL Considered Harmful"

Emotionally? You are clearly either emotionally or financially invested in Microsoft, or you wouldn't be using these poor arguments to support their indefensible hypocrisy.

Originally posted by Hades32:

BTW: Also Ars Technica seems to share my opinion: http://arstechnica.com/microsoft/news/2011/06/microsoft-no-way-to-support-webgl-and-meet-our-security-needs.ars
while the response of the Khronos groups is not very insightful...

Predictably, that dishonest piece of filth you call "insightful" was written by Peter Bright, a notorious Microsoft shill.

The moment you call an article by notorious shill Peter Bright "insightful" is when you lose any credibility you might have left.

ChrisSlamdex Thursday, June 23, 2011 9:15:07 AM

Originally posted by Chas4:

Well you don't want bugs to carry on to finals from a pre release

Even worse, Microsoft's security "experts" were unable to discover this laughably simple and basic "DoS attack" while their friends were writing that other article about DoS attacks against WebGL. They had to get someone from Google or Mozilla (not sure which one) to report it to them.

Hilarious!

Constantine Vesnac69 Friday, June 24, 2011 8:46:13 AM

1. 3D is the future.
2. But majority of current 3D apps are GAMES, or a software aimed to create games. (Yes, there do exist a lot of CAD tools, but how many "normal people" use them ?)
3. Video drivers are buggy and contain a lot of app-specific fixes just to be able to run those.
4. Web is attracting more and more cyber-criminals. You don't even need to be a programmer to hack people, as out-of-the-box kits are widely sold. Interner is becoming much less secure each year.
..

Thus:
Please add WebGL support so we will be able to run 3d in our browser, that would be cool ! (translation: i agree to loose my credit card to play some crappy game in the office )

irony aside - webGL is damn slow. you cannot hope to see GTA 4, Starcraft 2 or Gears of War 3 in a browser. so why bother now ?

there are dedicated plugins for 3D - Unity, QuakeLive, Flash. People who feel adventurous - MIGHT install and use them on their own risk. But enabling 3d for everyone - is just madness.

Originally posted by Slamdex:

How isn't WebGL secure?


It's fundamentally insecure by design.
Almost the same as allowing to run .exe files within web-pages.

ChrisSlamdex Friday, June 24, 2011 10:43:31 AM

Originally posted by c69:

Video drivers are buggy and contain a lot of app-specific fixes just to be able to run those.

The web also contains a lot of browser-specific fixes, but that's slowly being fixed. With WebGL you get a proper standard which responsible driver vendors will take seriously. Non-issue.

Originally posted by c69:

Web is attracting more and more cyber-criminals. You don't even need to be a programmer to hack people, as out-of-the-box kits are widely sold. Interner is becoming much less secure each year.

You can say that about anything connected to the web, so this is just dishonest FUD.

Originally posted by c69:

irony aside - webGL is damn slow. you cannot hope to see GTA 4, Starcraft 2 or Gears of War 3 in a browser. so why bother now ?

These are just early days. A couple of years ago WebGL didn't even exist. Also, you are assuming that the market needs hardcore games with insane graphics right away.

Originally posted by c69:

It's fundamentally insecure by design.


No it isn't. Please stop lying.

Write a comment

New comments have been disabled for this post.