The royalty free cross platform API for browser based 3D graphics known as WebGL has been found to be insecure and potentially harmful to machines. Apparently WebGL allows other web pages to exploit the browser. WebGL utilizes hardware acceleration and because of more of the user system can be exposed. The reason for that is that WebGL access is the graphics card drivers. So, if there are vulnerabilities that are discovered in graphics cards there isn’t a simple security update the can be run. The driver rules differ from one piece of hardware to the next.

Microsoft Security Response Center Engineering has issued an announcement and support of evidence stating that they cannot endorse the use of WebGL in its current form. They believe that WebGL exposes much more of a user's system than previously and could result in remote compromise.

Hopefully in the near future WebGL we'll be able to get these issues sorted out. It would be nice to see something of this nature implemented into browsers. In fact, the stable release is just over three months old. WebGL made its debut March 3, 2011 so it is still very young.

View the full article

An interesting point to note is that often graphics device drivers are run in kernel-space (as opposed to user-space).

True. That's part of the problem, because it's privileged code.

What Microsoft isn't saying is that Silverlight 5 suffers from exactly the same insecurity.

.