DOS vulnerability in Silverlight 5's 3D (similar to WebGL DOS vulnerability) by Benoit Jacob

I've now rebuilt the testcase against the real Silverlight 5 (RTM), it's available at the same URL as before:
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL/HelloWorld3D/Bin/Debug/HelloWorld3DTestPage.html

It seems that all NVIDIA drivers are now blacklisted, including the currently latest WHQL, version 285.62.

If I right-click, go to the Silverlight preferences, and specifically 'Allow' the testcase to use blacklisted drivers, then it still runs and still causes the same effects as before (sometimes blue screen, sometimes random display corruption).

So it seems that the solution adopted by Microsoft, is to blacklist ALL versions of at least the NVIDIA driver, and presumably of all drivers (since other driver vendors are not AFAIK doing better than NVIDIA on this front). This is equivalent to making Silverlight 5 3D disabled by default.

I am happy to see that Microsoft is taking this issue seriously, and I'm happy to see the pressure that blacklisting all current drivers imposes on driver vendors: hopefully that will get them to prioritize work to resolve this issue.

Active discussion is going on between WebGL browser vendors and driver vendors on this topic, and I believe that Microsoft could make a very valuable contribution to it.

@ Tamas: if you do as explained above (to circumvent the driver blacklist) and restart your browser, you should be able to run the updated testcase.

I tried it with the RTM. Launching the app says:

Render mode: Unavailable
Reason: SecurityBlocked

This bug is not fixed in Silverlight 5 RC.

I just had to make trivial changes to adapt to API changes in Silverlight 5 Beta compared to the beta. The updated testcase is at the same address as before. It still works in Internet Explorer 9.

The effect is still the same as before: in the best case the display freezes and flickers for some time, and I still hit bugs in the NVIDIA 275.33 driver leading to BSODs or random display corruption.

The only Silverlight change that I did notice, is that after Silverlight 3D has been DOS'd, it seems to be disabled in the current browser session. However, this doesn't do anything to prevent the first DOS, which can be enough to get a BSOD depending on the driver; and moreover, in order to get the DOS again, it is enough to close the browser and restart it. So I don't see how this is useful.

To clarify the earlier statement, DoS mitigations are implemented in current internal builds and will ship with Silverlight 5 RTM.

I look forward to the final Silverlight 5 with the fix for this DoS, but in the meantime I am curious as to what the fix consists of?

As far as I can see, any fix would have to involve working with GPU vendors toward making 3D APIs more resilient to DoS. The WebGL working group has been doing exactly that ( http://www.khronos.org/webgl/security/ ). If Microsoft is doing the same, it would be nice to work together on this front.

Thank you for reporting and helping to ensure a quality release. Silverlight 5 is currently in Beta. Security hardening and the complete implementation of the security plan happens over the full course of product development. DoS issues such as this are addressed in an upcoming release.

Thank you for submitting feedback on Visual Studio 2010 and .NET Framework. Your issue has been routed to the appropriate VS development team for investigation. We will contact you if we require any additional information.

The source code and Visual Studio solution for the proof-of-concept is here:
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL.zip

Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)