A security bug in Firefox on OS X and WinXP

Context, the group who publicised the WebGL cross-site image and DoS issues a few weeks back, blogged about a nasty bug yesterday. It appears to only affect Firefox 4 on Mac OS X and Windows XP, but is a serious issue there; essentially, a WebGL page with the exploit could get access to parts of your graphics card’s memory that had been used by other web pages or applications, and so could conceivably get confidential data. The problem was fixed in Firefox 5 beta 5, and the final 5.0 release is expected to come out early next week. So if you’re using Firefox 4 on an affected OS, I would definitely suggest you switch to the beta if you want WebGL, or switch it off for now if you don’t (though I can’t imagine many readers here won’t want it enabled but safe :-)

While it’s certainly a good thing that this bug has been found and fixed, the timing of their release of the information is a bit disappointing. The normal procedure for a reputable security company when they find a bug like this, which could affect many tens of thousands of users worldwide, is to contact the software author with a proof-of-concept, wait a reasonable amount of time for a fixed version to become available, and then to release the information. This system works well for everyone — the software’s users get security patches, the author gets to create a better product, and the security researchers get the publicity of having solved a potentially nasty problem.

In this case, however, Context appear to have released details of the workings of the attack before the fix was available to normal non-beta-using Firefox users — and they say in their blog post that the fixed version is “expected 21st June 2011″, which means that they knew full well that they were doing that. Surely they could have waited for a few days so that normal users could easily upgrade their browsers?

Coincidentally, Microsoft — who are eminently qualified to talk about software security flaws — also chose yesterday to blog about their concerns with WebGL’s security. While their concerns are understandable, ultimately they can be boiled down to “WebGL isn’t secure right now so we’re not going to implement it”. Certainly, leading-edge new technologies tend to have security problems — anyone who remembers the early days of JavaScript will remember that. Microsoft implemented JavaScript quickly when it first came out, however. Perhaps they’ve been burned so often by security issues that they take a more conservative attitude these days.

[UPDATE: here's an interesting counterpoint to the Microsoft post by Jeff Muizelaar -- thanks to Stephen White for the link]

[UPDATE: fixed errors in the Firefox 5 beta timeline -- thanks to Benoit Jacob]

You can leave a response, or trackback from your own site.

4 Responses to “A security bug in Firefox on OS X and WinXP”

  1. nammkooo says:

    M$ is teaching about security,>[email protected]

  2. jd says:

    I think it’s pretty safe to say MS is most likely funding Context indirectly. My guess is that they are feverishly working on WebGL for IE, in the event they are unable to kill WebGL with the usual fear, uncertainty, and doubt. Which at this point in time is like sweeping back the ocean with a broom. To me, this is just an affirmation that WebGL has nailed the sweet spot, and the late comers are realizing it’s going to prevail.

    Similar things are happening on the Java front … looks like a rather organized effort against Google.

  3. jd says:

    One other thing to ponder. The behavior of Ellision with Java, and the death of Silverlight just further cement the fact that all client side apps (workstation and mobile) will be javascript with html5. Things are really going to get interesting the instant IOS turns on WebGL in Safari.

  4. giles says:

    @jd — re: MS funding Context — who knows? A lot of people suspect it, but I don’t think there’s been any evidence put forward. Re: WebGL’s eventual success — I definitely agree (but then I would, wouldn’t I? ;-) but it’s interesting to see that at least one person at MS thinks so too.

Leave a Reply

Subscribe to RSS Feed Follow Learning WebGL on Twitter