The Microsoft Security Research & Defense team this week issued a serious warning about WebGL, a web browser technology that is supported by both Mozilla Firefox and Google Chrome. And they’re not screwing around.
Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements. Some key concerns include:
Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
Problematic system DoS scenarios
We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.
Yikes. Well, there you go.