Posts
On May 11th, Swa Frantzen posted "Time to disable WebGL?" on the Internet Storm Center's Diary page (http://isc.sans.edu/diary.html?storyid=10867). Dan Goodin also covered this story on the 11th: "New graphics engine imperils users of Firefox and Chrome" (http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/).
Both articles point out that US-CERT has recommended that WebGL be turned off in browsers which support it (http://www.us-cert.gov/current/index.html#web_users_warned_to_turn).
The SANS piece mentions that in order to disable WebGL in Google Chrome "It needs the --disable-webgl argument on the command line". After some testing, I have concluded that this only works once (i.e. in the browser session opened from the command line). In addition, if you open the command window in the Run As Administrator mode, the command line argument does not work at all.
In order to disable WebGL on end user computers, it is necessary to change the target of every Google Chrome shortcut on a machine.
To make this change in Windows 7:
1) right click the Google Chrome shortcut,
2) left click Properties,
3) click the Shortcut tab,and
4) change the Target to:
C:\Users\THEUSERNAME\AppData\Local\Google\Chrome\Application\chrome.exe --disable-webgl
This will not prevent users from creating a new WebGL enabled shortcut.
In Firefox 4.01, WebGL can be disabled by:
1) enter "about:config" in the address window,
2) scroll down to webgl.disabled and right click on it,
3) left click Toggle.
You can test your configurations by browsing to this site: http://www.webkit.org/blog-files/webgl/SpiritBox.html. If the puppy appears in a rotating cube, WebGL is enabled. If WebGL is disabled, you will see a photograph.
The WebGL extension designed to protect the GPU stack from exploitation, GL_ARB_robustness, has not been deployed by most GPU vendors.
Once WebGL is effectively sandboxed by Google and Mozilla, I will be happy to turn it back on. Until then, the eye candy will have to wait.
Additional references:
http://www.contextis.com/resources/blog/webgl/
http://www.khronos.org/news/permalink/webgl-security
James McQuaid
Both articles point out that US-CERT has recommended that WebGL be turned off in browsers which support it (http://www.us-cert.gov/current/index.html#web_users_warned_to_turn).
The SANS piece mentions that in order to disable WebGL in Google Chrome "It needs the --disable-webgl argument on the command line". After some testing, I have concluded that this only works once (i.e. in the browser session opened from the command line). In addition, if you open the command window in the Run As Administrator mode, the command line argument does not work at all.
In order to disable WebGL on end user computers, it is necessary to change the target of every Google Chrome shortcut on a machine.
To make this change in Windows 7:
1) right click the Google Chrome shortcut,
2) left click Properties,
3) click the Shortcut tab,and
4) change the Target to:
C:\Users\THEUSERNAME\AppData\Local\Google\Chrome\Application\chrome.exe --disable-webgl
This will not prevent users from creating a new WebGL enabled shortcut.
In Firefox 4.01, WebGL can be disabled by:
1) enter "about:config" in the address window,
2) scroll down to webgl.disabled and right click on it,
3) left click Toggle.
You can test your configurations by browsing to this site: http://www.webkit.org/blog-files/webgl/SpiritBox.html. If the puppy appears in a rotating cube, WebGL is enabled. If WebGL is disabled, you will see a photograph.
The WebGL extension designed to protect the GPU stack from exploitation, GL_ARB_robustness, has not been deployed by most GPU vendors.
Once WebGL is effectively sandboxed by Google and Mozilla, I will be happy to turn it back on. Until then, the eye candy will have to wait.
Additional references:
http://www.contextis.com/resources/blog/webgl/
http://www.khronos.org/news/permalink/webgl-security
James McQuaid
