This is not your ordinary rewards program, it’s Google’s way of paying it forward… to hackers. After celebrating the one year anniversary of its unique initiative this past November — in which the coding-inclined are compensated for exposing critical flaws across its suite of web services — the folks over at Mountain View have updated the program’s policies with a bigger chunk of cash. Previously, the search giant had set a max payout of $3,133.7 for any discovered vulnerabilities (a bizarre sum, we know), but that cap has now seen an increase up to $20,000 depending on the severity of the reported bug. For a company with billion dollar coffers, the move appears to be none other than a good faith investment in the security research community. But if you lean a bit closer to the paranoiac line, it could also be viewed as a countermeasure to other, higher-paying firms with less than honorable intentions. Whether your rose-colored glasses are on or off, it’s still nice work if you can get paid for it. And who knows? You might even make it to the Security Hall of Fame.
Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn’t be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system’s GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole — with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won’t necessarily kill WebGL and, as it matures, Microsoft may change its tune — but it’s still a pretty big blow for all us of hoping the next edition of Crysiswould be browser-based.
Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team (CERT) is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer’s GPU and trigger a denial of service attack or simply crash the machine. Ne’er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context — the firm argues that inherent flaws in the design of WebGL make it very difficult to secure.
Now, we’re far from experts on the intricacies of low-level hardware security but, for the moment at least, there seems to be little reason for the average user to panic. There’s even a good chance that you’re not vulnerable at all since WebGL won’t run on many Intel and ATI graphics chips (you can check by clicking here). If you’re inclined to err on the side of caution you can find instructions for disabling WebGL at the more coverage link — but come on, living on the cutting edge wouldn’t be anywhere near as fun if it didn’t involve a bit of danger.