DOS vulnerability in Silverlight 5's 3D (similar to WebGL DOS vulnerability) - by Benoit Jacob

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


3
1
Sign in
to vote
ID 676134 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 6/20/2011 11:17:04 AM
Access Restriction Public

Description

Recently Microsoft published an article about a WebGL DOS vulnerability:
http://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx

The same vulnerability exists in Silverlight 5, here's a proof of concept (warning, crashes your system)
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL/HelloWorld3D/Bin/Debug/HelloWorld3DTestPage.html

Normally I wouldn't file a Silverlight bug report about that since this really isn't specific to Silverlight (or WebGL, or any particular 3D API), but the above-mentioned Microsoft security article suggests that Microsoft thought that it would be WebGL-specific.
Sign in to post a comment.
Posted by Benoit Jacob on 12/22/2011 at 1:48 PM
I've now rebuilt the testcase against the real Silverlight 5 (RTM), it's available at the same URL as before:
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL/HelloWorld3D/Bin/Debug/HelloWorld3DTestPage.html

It seems that all NVIDIA drivers are now blacklisted, including the currently latest WHQL, version 285.62.

If I right-click, go to the Silverlight preferences, and specifically 'Allow' the testcase to use blacklisted drivers, then it still runs and still causes the same effects as before (sometimes blue screen, sometimes random display corruption).

So it seems that the solution adopted by Microsoft, is to blacklist ALL versions of at least the NVIDIA driver, and presumably of all drivers (since other driver vendors are not AFAIK doing better than NVIDIA on this front). This is equivalent to making Silverlight 5 3D disabled by default.

I am happy to see that Microsoft is taking this issue seriously, and I'm happy to see the pressure that blacklisting all current drivers imposes on driver vendors: hopefully that will get them to prioritize work to resolve this issue.

Active discussion is going on between WebGL browser vendors and driver vendors on this topic, and I believe that Microsoft could make a very valuable contribution to it.

@ Tamas: if you do as explained above (to circumvent the driver blacklist) and restart your browser, you should be able to run the updated testcase.

Posted by Tamas Flamich on 12/11/2011 at 6:09 AM
I tried it with the RTM. Launching the app says:

Render mode: Unavailable
Reason: SecurityBlocked
Posted by Benoit Jacob on 9/8/2011 at 11:36 AM
This bug is not fixed in Silverlight 5 RC.

I just had to make trivial changes to adapt to API changes in Silverlight 5 Beta compared to the beta. The updated testcase is at the same address as before. It still works in Internet Explorer 9.

The effect is still the same as before: in the best case the display freezes and flickers for some time, and I still hit bugs in the NVIDIA 275.33 driver leading to BSODs or random display corruption.

The only Silverlight change that I did notice, is that after Silverlight 3D has been DOS'd, it seems to be disabled in the current browser session. However, this doesn't do anything to prevent the first DOS, which can be enough to get a BSOD depending on the driver; and moreover, in order to get the DOS again, it is enough to close the browser and restart it. So I don't see how this is useful.
Posted by Microsoft on 6/21/2011 at 12:18 PM
To clarify the earlier statement, DoS mitigations are implemented in current internal builds and will ship with Silverlight 5 RTM.
Posted by Benoit Jacob on 6/21/2011 at 9:47 AM
I look forward to the final Silverlight 5 with the fix for this DoS, but in the meantime I am curious as to what the fix consists of?

As far as I can see, any fix would have to involve working with GPU vendors toward making 3D APIs more resilient to DoS. The WebGL working group has been doing exactly that ( http://www.khronos.org/webgl/security/ ). If Microsoft is doing the same, it would be nice to work together on this front.
Posted by Microsoft on 6/21/2011 at 9:35 AM
Thank you for reporting and helping to ensure a quality release. Silverlight 5 is currently in Beta. Security hardening and the complete implementation of the security plan happens over the full course of product development. DoS issues such as this are addressed in an upcoming release.
Posted by MS-Moderator10 [Feedback Moderator] on 6/20/2011 at 6:54 PM
Thank you for submitting feedback on Visual Studio 2010 and .NET Framework. Your issue has been routed to the appropriate VS development team for investigation. We will contact you if we require any additional information.
Posted by Benoit Jacob on 6/20/2011 at 2:05 PM
The source code and Visual Studio solution for the proof-of-concept is here:
http://people.mozilla.org/~bjacob/SilverLight5DOSJustLikeWebGL.zip
Posted by MS-Moderator01 on 6/20/2011 at 11:49 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)