WebGL graphics memory stealing issue

Lucas Adamski

8

Issue

There is a specific security issue with the WebGL implementation in Firefox 4.

Impact to users

This issue allows attackers to capture screen shots of private or confidential information.

Status

Mozilla is aware of this bug and has issued a fix that will be released with the next version of Firefox, tentatively scheduled for June 21. This is a Firefox-specific implementation issue not a WebGL specification issue. In the interim, to protect themselves users can update to Firefox Beta or temporarily disable WebGL. To disable WebGL, in Firefox go to about:config and set webgl.disabled to true.

Credit

The bug was reported by Context.

8 responses

  1. Ed wrote on :

    Worlds of Worry!
    context? OK MS bs OK just know it.
    Move on!

  2. Danny Moules wrote on :

    Good catch, though the value of the actual abstract they’ve provided to the public leaves much to be desired (it’s called ARB_robustness, not ARB_watertight). It’s nice to see people are putting WebGL implementations through their well-needed paces.

  3. Michael Kaply wrote on ::

    So this bug will only be fixed in Firefox 5? There are no plans to put this in a Firefox 4 refresh?

  4. Daniel Veditz wrote on :

    Firefox 5 -is- the Firefox 4 refesh

    http://www.conceivablytech.com/7747/products/no-more-updates-for-firefox-4-chromium-14-released (also see earlier “lifecycle” thread on mozilla.dev.planning)

    From a product perspective there will be no more “Firefox N”, just “Firefox”. The number is there under the hood so people can double-check they’re up to date.

  5. anonmouse wrote on :

    In general, WHY is webGL enabled by default on all sites? This seems like a very dumb decision security wise. The spec is nascent right now, why not have a pop up saying “Do you want to enable this beta feature for this site for now?” ?

  6. Phil wrote on :

    Could this be why my machine crashes, if I try to update from 3.6 to 4? I don’t have a video card, just the onboard & non-3D video. It’s not just FF freezing, the entire OS crashes on first run of FF 4! I had to use IE to research how to roll back. Until I know exactly what it is, this machine will never run FF 4. My secondary PC made the transition OK, however.

  7. Daniel Veditz wrote on :

    Phil: this has nothing to do with your crashes which are almost certainly due to incompatible 3rd party software. If you’ve submitted crash reports to Mozilla and know the crash IDs we might be able to finger the culprit. Some problems are solved by starting in “safe-mode” and then disabling the bad add-on or plugin. If safe-mode doesn’t help sometimes the problem is a malware infection that has gone unnoticed until it starts conflicting with things–in which case switching to IE may stop the crashing but you’ve still got the malware spying on you!

    There are too many possibilities to diagnose in a blog, please seek help from http://support.mozilla.com/

  8. Dan wrote on :

    Which bug numbers fixed this for Firefox 5?