If I'm reading the bulletin right, then all the issues can only be exploited from code already running on your machine. So if you have a single user machine and aren't already owned then this is a non-issue and the verbiage in the title and PC World article are not warranted.
The people that actually need to update are:
* Multi-user systems with some untrusted users.
* Users with malware on their system already (which could privilege escalate)
If you use a web browser or play multiplayer video games then there will be code running on your system that interacts with GPU drivers that you haven't explicitly chosen to download and which could potentially exploit certain vulnerabilities.
This highlights why we shouldn't let browsers (google) keep expanding their reach outside of the historical sandbox. It's almost like all the in-browser Java and Flash problems being repeated. They're creating security problems more than helping legitimate developers. WebGL was fine. Websockets were fine. WebGPU and the recently proposed arbitrary socket API are jumping the shark. Raw GPU access and TCP/UDP access are simply bad ideas from inexperienced people and need to be shut down. If you truly need that stuff I think the solution is to step up your game and make native applications.
I'm not sure why WebGPU is a step too far but WebGL isn't? Every other API for using a GPU went the same direction; why should HTML be stuck with a JS projection of OpenGL ES while native developers get Vulkan? The security properties of both are very similar, Vulkan/Metal/DX12 just lets you skip varying levels of compatibility nonsense inherent in old graphics APIs.
> why should HTML be stuck with a JS projection of OpenGL ES while native developers get Vulkan?
Because web browsers are supposed to be locked down and able to run untrusted code, not an operating system that reinvents all the same failings of actual operating systems. They should be functionality impaired in favor of safety as much as possible. For the same reason you don't get access to high precision timing in browser (a lesson that took a while to learn!), you shouldn't have arbitrary capabilities piled onto it.
Those are all historical remnants. Modern web browsers serve a radically different purpose than they did in the 90s. It doesn't make sense to even keep calling them "web browsers" since most people don't know what a "web" is, let alone "browse" it.
Modern browsers are application runtimes with a very flexible delivery mechanism. It's really up to web developers to decide what features this system should have to enable rich experiences for their users. Declaring that they should be functionally impaired or what they "should be" without taking into account the user experience we want to deliver is the wrong way of approaching this.
To be clear: I do think we should take security very seriously, especially in the one program people use the most. I also think reinventing operating systems to run within other operating systems is silly. But the web browser has become the primary application runtime and is how most people experience computing, so enabling it to deliver rich user experiences is inevitable. Doing this without compromising security or privacy is a very difficult problem, which should be addressed. It's not like the web is not a security and privacy nightmare without this already. So the solution is not to restrict functionality in order to safeguard security, but to find a way to implement these features securely and safely.
> Modern browsers are application runtimes with a very flexible delivery mechanism.
Clearly this is true. But as someone with an old-school preference for native applications over webapps (mostly for performance/ux/privacy reasons) it irritates me that I need to use an everything app just to browse HN or Wikipedia. I don't want to go all hairshirt and start using Lynx, I just want something with decent ux and a smaller vulnerability surface.
> it irritates me that I need to use an everything app just to browse HN or Wikipedia
But why?
That feels like saying it irritates someone they need to run Windows in order to run Notepad, when they don't need the capabilities of Photoshop at the moment.
An everything app is for everything. Including the simple things.
The last thing I'd want is to have to use one browser for simpler sites and another for more complex sites and webapps and constantly have to remember which one was for which.
Some of us don't use the web for anything other than websites. I'm honestly not even sure what people are talking about with some proliferation of "apps". There's discord/slack, and...? And chat was on the road to being an open protocol until Google/Facebook saw the potential for lockin and both dropped XMPP.
I already have an operating system. It's like saying I don't need notepad to be able to execute arbitrary programs with 3D capabilities and listen sockets because it's a text editor.
You also wouldn't need to remember what your generic sandbox app runtime is. Use your browser, and if you click on a link to an app, you'll be prompted to open the link using your default handler for that mime type.
> I'm honestly not even sure what people are talking about with some proliferation of "apps". There's discord/slack, and...?
Are you not familiar with Gmail or Google Maps or YouTube?
> I already have an operating system.
But Gmail and Google Maps and YouTube don't run on the OS. And this is a feature -- I can log into my Gmail on any browser without having to install anything. Life is so much easier when you don't have to install software, but just open a link.
> Use your browser, and if you click on a link to an app, you'll be prompted to open the link using your default handler for that mime type.
But I like having news links in Gmail open in a new tab in the same window. The last thing I want is to be juggling windows between different applications when tabs in the same app are such a superior UX.
Imagine how annoying it would be if my "app" browser had tabs for Gmail and Maps and YouTube and my "docs" browser had tabs for the NYT and WaPo and CNN, and I couldn't mix them?
Or if the NYT only worked in my "docs" browser, but opening a link to its crossword puzzle opened in my "apps" browser instead?
That's a terrible user experience for zero benefit at all.
(And I still would have to remember which is which, even if there's a MIME type, for when I want to go back to a tab I already opened!)
Calling gmail or youtube apps is already kind of a stretch. Gmail splits everything into separate web pages with the associated loading times and need to navigate back and forth. Exacerbating this is that it paginates things, which is something you only ever see in web pages. It lacks basic features you'd expect out of an application like ability to resize UI panes. Youtube has a custom, worse version of a <video> tag to prevent you from saving the videos (even CC licensed ones, which is probably a license violation), but is otherwise a bunch of minimally interactive web pages.
Maps is legitimately an interactive application, though I'd be surprised if most people don't use a dedicated app for it.
The point is you wouldn't have an "apps browser" with tabs. If something is nontrivial, launch it as an actual application, and let the browser be about browsing websites with minimal scripting like the crossword puzzle. Honestly there probably should be friction with launching apps because it's a horrible idea to randomly run code from every page you browse to, and expanding the scope of what that code is allowed to do is just piling on more bad ideas.
> it irritates me that I need to use an everything app just to browse HN or Wikipedia.
...this is possibly missing the point, but it occurs to me that you don't have to. Hacker News and Wikipedia are two websites I'd expect to work perfectly well in e.g. Links.
It's a bigger problem if you want to read the New York Times. I don't know whether the raw html is compatible, but if nothing else you have to log in to get past their paywall.
I don't necessarily disagree. But there's no going back now. There's a demand for rich user experiences that are not as easy to implement or deliver via legacy operating systems. So there's no point in arguing to keep functionality out of web browsers, since there is no practical alternative for it.
If rich ux can be delivered in a web browser then it can be delivered in a native app. I'd assert that the reason this is uncommon now (with the exception of games) is economic not technological.
It is partly economic, but I would say that it's more of a matter of convenience. Developing a web application is more approachable than a native app, and the pool of web developers is larger. Users also don't want the burden of installing and upgrading apps, they just want them available. Even traditional app stores that mobile devices popularized are antiquated now. Requesting a specific app by its unique identifier, which is what web URLs are, is much more user friendly than navigating an app store, let alone downloading an app on a traditional operating system and dealing with a hundred different "package managers", and all the associated issues that come with that.
Some app stores and package managers automate a lot of this complexity to simplify the UX, and all of them use the web in the background anyway, but the experience is far from just loading a web URL in a browser.
And native apps on most platforms are also a security nightmare, which is why there is a lot of momentum to replicate the mobile and web sandboxing model on traditional OSs, which is something that web browsers have had for a long time.
The answer is somewhere in the middle. We need better and more secure operating systems that replicate some of the web model, and we need more capable and featureful "web browsers" that deliver the same experience as native apps. There have been numerous attempts at both approaches over the past decade+ with varying degrees of success, but there is still a lot of work to be done.
Every package manager I know of lets you install a package directly without any kind of Internet connection (I haven't tried much, but I've run into CORS errors with file URIs that suggest browser authors don't want those to work). They also--critically--allow you to not update your software.
The web today is mostly a media consumption platform. Applications for people who want to use their computer as a tool rather than a toy don't fit the model of "connect to some URL and hope your tools are still there".
The difference is in the learning curve. On Windows, making a native app usually requires you to install a bunch of things - a compiler, a specific code editor, etc - in order to even be able to start learning.
Meanwhile, while that's also true for web apps, you can get started with learning HTML and basic JavaScript in Notepad, with no extra software needed. (Of course, you might then progress to actually using compilers like TypeScript, frameworks like React, and so on, but you don't need them to start learning.)
There's always been a much higher perceived barrier to be able to make native apps in Windows, whereas it's easier to get started with web development.
That settles it then. Let's remove all the innovations of the past 30 years that have allowed the web to deliver rich user experiences, and leave developers to innovate with static HTML alone. Who needs JavaScript and CSS anyway?
Seriously, don't you see the incongruity of your statement?
Putting everything, I mean everything into the browser, and arguing for it, is stupid. It stops becoming a browser then and becomes a native sytem, with the problems of the native systems accessing the open wild all over again. And then? Will be there a sandbox inside the browser/new-OS for the sake of security then? Sanbox into a not so sandbox anymore?
Modern operating systems are bad and they are not going to be fixed. So Browser is another attempt at creating better operating system.
Why modern operating systems are bad:
1. Desktop OS allow installation of unrestricted applications. And actually most applications are unrestricted. While there are attempts at creating containerised applications, those attempts are weak and not popular. When I'm installing World of Warcraft, its installer silently adds trusted root certificate into my computer.
2. Mobile OS are walled gardens. You can't just run anything, you need to jump through many hoops at best or live in certain countries at worst.
3. There's no common ground for every operating system. Every operating system is different, has completely different APIs. While there are frameworks which try to abstract those things, those frameworks adds their own pile of issues.
Browser just fixes everything. It provides secure sandbox which is trusted by billions of users. It does not restrict user in any way, there's no "Website Store" or something like that, you can open everything and you can bring your app online within few minutes. It provides an uniform API which is enough to create many kinds of applications and it'll run everywhere: iPhone, Pixel, Macbook, Surface, Thinkpad.
Unrestricted app installation is not bad. It's a trade-off. It's freedom to use your own hardware how you want versus 'safety' and restriction imposed by some central authority which aims to
profit. Fuck app stores, generally speaking. I prefer to determine what source to trust myself and not be charged (directly or indirectly) to put software on my own system.
An overwhelming majority of the apps does not need full device access. All they need is to draw to the window and talk with network.
Yes, there are apps which might need full filesystem access, for example to measure directory sizes or to search things on the filesystem. There are apps to check neighbour WiFi for security which need very full access to WiFi adapter and that's fine. But those apps could use another way of installation, like entering password 3 times and dancing for 1 minute, to ensure that user understands the full implications of giving such an access.
My point is that on typical desktop operating system today, typical application has too much access and many applications actually use that access for bad things, like spying for user, installing their own startup launchers, updaters and whatnot. Web does that better. You can't make your webapp to open when browser starts, unless you ask user to perform a complicated sequence of actions. You can't make your webapp to access my ssh key unless you ask me to drag it into a webpage.
I agree. I'm not knowledgable enough to say for sure, but my intuition is that the total complexity of WebGPU (browser implementation + driver) is usually less than the total complexity of WebGL.
WebGL is like letting your browser use your GPU with a condom on, and WebGPU is doing the same without one. The indirection is useful for safety assuming people maintain the standard and think about it. Opening up capability in the browser needs to be a careful process. It has not been recently.
It's my understanding that the browsers use a translation layer (such as ANGLE) between both WebGL and WebGPU and a preferred lower level native API (Vulkan or Metal). In this regard I don't believe WebGL has any more or less protection than WebGPU. It's not right to confuse abstraction with a layer of security.
My analogy was bad and I'd probably be wrong as you (and your sibling post) say to expect WebGPU to have any lurking dangers as compared to WebGL. I was mainly trying to express concern with new APIs and capabilities being regularly added, and the danger inherent in growing these surfaces.
It's clear that you know nothing about how WebGL or WebGPU are implemented. WebGPU is not more "raw" than WebGL. You should stop speaking confidently on these topics and misleading people who don't realize that you are not an expert.
I'd dispute that I know nothing. I'm not an expert but have worked with both, mostly WebGL. Anyways, sorry, it was a bad analogy and you're right, I don't know enough, particularly to say that WebGPU has any unique flaws or exposes any problems not in WebGL. I'm merely suspicious that it could, and maybe that is just from ignorance in this case.
That's incorrect, WebGPU has the exact same security guarantees as WebGL, if anything the specification is even stricter to completely eliminate UB (which native 3D APIs are surprisingly full of). But no data or shader code makes it to the GPU driver without thorough validation both in WebGL and WebGPU (WebGPU *may* suffer from implementation bugs just the same as WebGL of course).
> Opening up capability in the browser needs to be a careful process. It has not been recently.
That's what about 95% of the WebGPU design process is about and why it takes so long (the design process started in 2017). Creating a cross-platform 3D API is trivial, doing this with web security requirements is not.
Both WebGL and WebGPU should be locked behind permission because they allow fingerprinting user's hardware (also they provide the name of user's graphic card). And because they expose your GPU drivers to the whole world.
Agree wholeheartedly (and I used to work on Safari/WebKit).
Cross-platform app frameworks have never been a panacea, but I think there may be a middle ground to be found between the web and truly native apps. Something with a shallower learning curve, batteries-included updating and distribution, etc. that isn’t the web or Electron.
That said, I worry that it’s too late. Even if such a framework were to magically appear, the momentum of the complex beast that is the web platform will probably not slow.
> I think the solution is to step up your game and make native applications
Say goodbye to anyone supporting Linux at all in that case. These rare security issues are a small price to pay for having software that works everywhere.
> malware that works everywhere is a small price for software that works everywhere
Yes.
Although the malware we're talking about doesn't actually work everywhere but only one one brand of GPU. But I would take it working everywhere over my computer not being useful.
Isn't WebGPU supposed to be containerized? So that it only access its processes, which are the computations it is running for rendering? I honestly don't know much but I had heard it was sandboxed.
It's not uncommon that I go to Shadertoy and see strange visual artifacts in some shaders including window contents of other applications running on my system, potentially including sensitive information.
It's difficult to make GPU access secure because GPU vendors never really prioritized security, so there's countless ways to do something that's wonky and accidentally leaks memory from something the app isn't supposed to have access to. You can containerize CPU and have strict guarantees that there's no way host memory will map into the container, but AFAIK this isn't a thing on GPUs except in some enterprise cards.
> ... including window contents of other applications running on my system, potentially including sensitive information.
If this is actually the case (which I doubt very much - no offense) then please definitely write a ticket to your browser vendor, because that would be a massive security problem and would be more news-worthy than this NVIDIA CVE (leaking image data into WebGL textures was actually a bug I remember right around the time when WebGL was in development, but that was fixed quickly).
Yeah that sounds like a basic garbage collection issue and isn't that the very basics of sandboxing? Is the rule not to not hand memory to a sandbox that hasn't already been overwritten with 0s or random information? This sounds analogous to the old C lack of bounds checking where you could steal passwords and stuff just by accessing out of bound memory. Is this not low hanging fruit?
TCP/UDP access is behind explicit prompt and it's basically the same as executing downloaded application, so I don't think that it's anything bad. Basically you either install software to your local system which does not have any restrictions or you use web application which still is pretty restricted and contained.
Would you be happy with two clicks? Three clicks? Like what's the principal difference? As I said, you can download and run arbitrary application with one click today. And may be second click to confirm to operating system (not sure if it's always necessary).
Insane thing is that arbitrary application has instantly full access to your computer. And web application still heavily constrained and has to ask about almost every permission.
I would accept zero clicks on a browser that I've installed without this dangerous feature and /with a promise no autoupdate will sneak it in/.
The reason your web page has to be imprisoned in permissions is that it is a web page from just about anyone using access that the browser has given it without telling the user.
Each to their own but I consider native applications a step down from web apps.
"Screw it, I'm giving up my web app and will now pay Apple/Google the protection money and margin they demand to shelter within their ad-ridden ecosystem lock-in." ... yeh that's definitely a step down.
You're talking like android and ios are the only platforms. The downsides of those platforms don't justify a web browser (which should be safe to use) granting excessive capability to untrusted code.
Are you saying that WebGPU should only be supported on Android and iOS, because Android and iOS have more secure GPUs? Desktop browsers shouldn't support WebGPU (but should continue supporting WebGL)?
This to me is the big risk here. A worm hidden in a game mod or something.
I can see it staying in the wild for a long time too. How many of the people that are playing on these cards, or crypto mining, or doing LLM work, are really going to even find out about these vulnerabilities and update the drivers?
>This to me is the big risk here. A worm hidden in a game mod or something.
Game mods are already barely sandboxed to begin with. Unless proven otherwise (ie. by manually inspecting the mod package), you should treat game mods the same as random exes you got off the internet, not harmless apps you install on a whim.
The attack surface from a browser is tiny. All you can do is call into ANGLE or Dawn through documented, well-defined and well-tested APIs. Or use things like canvas and CSS animations, I suppose. Browser vendors care a lot about security, so they try to make sure these libraries are solid and you can't interact with the GPU in any other way.
Native applications talk directly to the GPU's kernel-mode driver. The intended flow is that you call into the vendor's user-mode drivers - which are dynamic libraries in your application's address space - and they generate commands and execute ioctls on your application's behalf. The interface between these libraries and the KMD is usually undocumented, ill-defined and poorly tested. GPU vendors don't tend to care about security, so if the KMD doesn't properly validate some inputs, well, that issue can persist a long time. And if there's any bit of control stream that lets you tell the GPU to copy stuff between memory you own and memory you don't... I guess you get a very long security bulletin.
The point is, webpages have access to a much smaller attack surface than native applications. It's unlikely anything in this bulletin is exploitable through a browser.
This is why Qubes OS, which runs everything in isolated VMs, doesn't allow them to use the GPU. My daily driver, can't recommend it enough if you care about security.
Numerous vulnerabilities are found in all browsers regularly, as well as in the root isolation in Linux. Similar with other OSes. The discussed article is one example.
In addition, Qubes is not so restrictive, if you don't play games or run LLMs.
I asked about your threat model, I'm aware that there are numerous vulnerabilities found in all browsers regularly. I just personally don't have a reason to care about that. It's like driving on the highway, every time you do it you create a period of vastly increased mortality in your life but that's often still very worthwhile, imo using Qubes is like going on back roads only because your odds of dying at highway speeds are so much higher.
If you consider specific listed threats as not a real threat model, then what else would you like to know? The threats are real and I value my data and privacy a lot. Also, I want to support a great OS by using it and spreading the word. Personally, using Qubes for me is not as hard and limiting as people think. It's the opposite: It improves my data workflow by separating different things I do on my computer.
Data being stolen (or getting ransomwared or whatever) from my personal machine is something I expect to happen maybe once or twice a lifetime as a baseline if I have like a bare veneer of security (a decent firewall on the edge, not clicking phishing links). I silo financial information (and banks also have security) so such a breach is extremely unlikely to be catastrophic. In general I don't find this to be worth caring about basically at all. The expectation is that it will cost me a couple weeks of my life as like an absolute worst case.
That is roughly equivalent to dealing with a security related roadblock to my workflow for 1 minute every day (or 10 security related popups that i have to click that cost me 6 seconds each or one 30 minute inconvenience a month). I think that even having the UAC popups enabled on Windows is too steep a price to pay.
I think security like this matters in places where the amount of financial gain for a breach is much much higher (concentrated stores of PII at a company with thousands of users for example) because your threat model has to consider you being specifically targeted for exploitation. As an individual worried about internet background hacking radiation it doesn't make sense for me to waste my time.
> I silo financial information (and banks also have security) so such a breach is extremely unlikely to be catastrophic
So you are doing manually what Qubes OS does automatically: security through compartmentalization.
> The expectation is that it will cost me a couple weeks of my life as like an absolute worst case.
This sounds quite reasonable but ignores privacy issues and issues with computer ownership with Windows; I guess you also don't care about that.
I do agree that using Qubes wastes more of my time than your estimates; however it also, e.g., encourages 100% safe tinkering for those who like it, prevents potential upgrade downtime, enables easy backup and restore process and more.
> I think security like this matters in places where the amount of financial gain for a breach is much much higher (concentrated stores of PII at a company with thousands of users for example)
If I owned crypto I would store the keys on a medium that people don't expect to find keys on and it would definitely not be live. (example, laser etched barcode into a rock)
A cursory search suggests such plugins aren't sandboxed and run with the same privileges as the main program itself, so I'd definitely be suspicious of any plugin.
The people that actually need to update are:
* Multi-user systems with some untrusted users.
* Users with malware on their system already (which could privilege escalate)
* virtualization hosts of untrusted guests.