Microsoft brands WebGL a 'harmful' technology

Microsoft has announced that it has no plans to support WebGL - a cross-platform low-level 3D graphics API designed for web use - in its future browsers, citing numerous security concerns over the technology.

An unnamed Microsoft engineer has confirmed that the company's research department has been investigating WebGL, but concluded that the technology "would have difficulty passing Microsoft's Security Development Lifecycle requirements," and thus will not become a feature of future Internet Explorer browsers.

The reasons cited by the engineer are largely the same as those publicised by Context Information Security's Michael Jordan back in May: the direct exposure of low-level hardware functionality to web sites; a reliance of third parties to secure the web experience; and the potential for malicious - or even badly-written - sites to perform system-wide denial of service attacks.

"The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before," Microsoft's engineer claims. "Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern.

"As WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities."

The vote of no confidence will come as a blow to The Khronos Group, which developed the standard, and to developers who are already looking to WebGL to provide hardware-accelerated 3D functionality for future web applications.

The Khronos Group has yet to respond to Microsoft's comments, which can be read in full over on the company's Security Research & Defence blog.