It seems like nothing is safe from Internet attacks these days after a security consultancy warned that now graphics card drivers could be a new target for cyber hackers.
British security consultancy Context disclosed in an advisory Thursday that security issues in WebGL, a browser Web standard designed to bring 3D graphics to Web pages on the Internet could leave users susceptible to denial of service and other cyber attacks.
WebGL is on by default in Firefox 4 and the recently hackable Google Chrome, and can be turned on in the latest versions of Safari.
The security issues enable hackers to execute malicious code on users' computers via a Web browser, which allows attacks on the GPU and graphics drivers that could render the entire machine unusable.
"These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design," security researcher James Forshaw wrote oin the Context advisory.
The problem occurs in the way that the WebGL is implemented, and the way current PC and Graphics Processor architectures are designed, Forshaw said.
Unlike other browser content, WebGL provides direct access to the graphics hardware, employing shader code that's uploaded then executed directly on the system. However, current hardware and graphics pipeline implementations are not designed to maintain security boundaries, experts say.
"Once a display list has been placed on the GPU by the schedule, it can be difficult to stop it, at least without causing obvious, system-wide visual corruption and instabilities," Forshaw wrote.
Subsequently, hackers could obtain access to the hardware drivers by crafting malicious code, and tricking a victim into installing it by opening a malicious Web page or clicking on infected content embedded on a legitimate site.
In addition, the WebGL API's direct access to the hardware also flings the door wide open for denial of service attacks. Unlike typical DoS attacks, in which the user's Web experience is blocked, the WebGL DoS exploit would crash the operating system or prevent users from being able to access their computer.
Windows 7 and Vista are less susceptible to attacks than XP due to the fact that their OS will be forced to reset if the GPU locks up for around two seconds, stopping all applications from using 3D graphics.
crn
British security consultancy Context disclosed in an advisory Thursday that security issues in WebGL, a browser Web standard designed to bring 3D graphics to Web pages on the Internet could leave users susceptible to denial of service and other cyber attacks.
WebGL is on by default in Firefox 4 and the recently hackable Google Chrome, and can be turned on in the latest versions of Safari.
The security issues enable hackers to execute malicious code on users' computers via a Web browser, which allows attacks on the GPU and graphics drivers that could render the entire machine unusable.
"These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design," security researcher James Forshaw wrote oin the Context advisory.
The problem occurs in the way that the WebGL is implemented, and the way current PC and Graphics Processor architectures are designed, Forshaw said.
Unlike other browser content, WebGL provides direct access to the graphics hardware, employing shader code that's uploaded then executed directly on the system. However, current hardware and graphics pipeline implementations are not designed to maintain security boundaries, experts say.
"Once a display list has been placed on the GPU by the schedule, it can be difficult to stop it, at least without causing obvious, system-wide visual corruption and instabilities," Forshaw wrote.
Subsequently, hackers could obtain access to the hardware drivers by crafting malicious code, and tricking a victim into installing it by opening a malicious Web page or clicking on infected content embedded on a legitimate site.
In addition, the WebGL API's direct access to the hardware also flings the door wide open for denial of service attacks. Unlike typical DoS attacks, in which the user's Web experience is blocked, the WebGL DoS exploit would crash the operating system or prevent users from being able to access their computer.
Windows 7 and Vista are less susceptible to attacks than XP due to the fact that their OS will be forced to reset if the GPU locks up for around two seconds, stopping all applications from using 3D graphics.
crn
