Is WebGL as Bad as Microsoft Claims?

Microsoft caused a stir last week when it posted a lengthy discourse on why it would not support WebGL, a new software library that extends JavaScript to allow 3D interactive graphics in a browser.  

Every other major browser will support it — Mozilla Firefox, Google Chrome, Apple Safari and even Opera, the stripped-down, basic browser, will support WebGL. But Microsoft said no, and it didn’t come from the developer group, it came from the Microsoft Security Research Center group.

The reason cited was that Microsoft products supporting WebGL would have trouble passing Microsoft’s internal Security Development Lifecycle requirements. Microsoft cited three specific problems: Browser support for WebGL directly exposes hardware functionality to the Web in a way that it considered to be overly permissive; browser support for WebGL security services  relies too heavily on third parties to secure the Web experience; and there are problematic system DoS scenarios.

The first complaint is probably the biggest. Video drivers are notoriously buggy. Nvidia and AMD are constantly releasing new drivers, sometimes just days apart from a previous release. True story: AMD released new Radeon drivers on June 15, and when I installed the drivers, the installation partly failed. Ten minutes after installing the drivers, my system froze for the first time in months.

Microsoft wouldn’t be able to  control flaws in drivers exposed to Windows through WebGL without seriously impacting the system. Microsoft’s only alternative would be to block and/or disable those drivers with known exploits, which would cause all kinds of user problems, and guess who’d take the blame for it?

Some bloggers, especially the anything-but-Microsoft crowd, were quick to accuse the company of going back to its not-invented-here mentality, but Microsoft has long shed that mentality. It’s hard to make that argument when developers right now are fretting that Microsoft will abandon .Net and Silverlight in favor of HTML 5 in Windows 8.

Microsoft’s position was buttressed a little by Context Information Security, a software security firm in the UK, which had pointed out similar arguments almost a month before Microsoft did.

Mike Shaver, Mozilla’s vice president of technical strategy, responded to Microsoft in a blog post that Mozilla is working to address weaknesses as noted by Microsoft, and then pointed out that Silverlight 5 is attempting to do the same things as WebGL and thus has the same vulnerabilities.

Circling back to the point I made earlier about Nvidia and Vista, we’re often quick to blame Microsoft for problems when it actually isn’t within their domain. In recent years, there has been a major effort to harden the operating system and browser, and Shaver noted in his blog that the Vista/7 display driver model is much improved. The people who need to make a security effort now are the GPU vendors.