Microsoft says Internet Explorer will not support the WebGL specification designed to give web applications access...
to 3D graphics processing power for security reasons.
WebGL has been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest build of Safari.
But according to engineers at the Microsoft Security Response Center (MSRC), the Khronos Group's application programming interface (API) is a potential source of hard-to-fix vulnerabilities.
They also say the API is incompatible with Microsoft's Security Development Lifecycle (SDL) requirements and point to recent reports on WebGl's vulnerabilities by security research firm ContextIS.
WebGL vulnerable to malicious code
According to ContextIS, a number of serious security issues have been identified with WebGL that can allow an attacker to provide malicious code via a web browser which allows attacks on the graphics processing unit (GPU) and graphics drivers that could render the entire machine unusable.
The security firm says there are other dangers with WebGL that put users' data, privacy and security at risk. It says these issues are inherent to the WebGL specification and would require significant architectural changes to remediate in the platform design.
The top concern of the Microsoft engineers is that browser support for WebGL directly exposes hardware functionality to the web in a way that Microsoft considers to be "overly permissive".
The security of WebGL, they say, depends on lower levels of the system, which means OEM drivers will need to uphold security guarantees they have never had to worry about before.
"Without an efficient security servicing model for video card drivers [such as Windows Update] users may either choose to override the protection to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled," according to an MSRC blog post.
The MSRC team is also concerned that it will be possible for any website to freeze or reboot systems at will, which is an issue for some important usage scenarios such as in critical infrastructure.
"In its current form, WebGL is not a technology Microsoft can endorse from a security perspective. We recognise the need to provide solutions in this space, however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment," the MSRC team said.