I'm not surprised. Video drivers are big, complicated and buggy. They are developed within very tight performance and time constraints and have had little reason to think about security until now. Exposing a large part of them to the public internet is begging for trouble.
On the other hand, if it's ever going to happen, it will probably take a few embarassing public incidents to make the vendors change their priorities.
"It really worries me that the FreeType font library is now being made to accept untrusted content from the web. The library probably wasn’t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it’s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox."
This should come as no surprise to anyone, really.
10 years ago we had similar issues with 2d graphics. For example, rendering huge fonts could cause the X display server to crash: http://xforce.iss.net/xforce/xfdb/9313
With WebGL, the attack surface is many times larger. I'm sure we'll see plenty of exploits leveraging vulnerabilities in the display subsystem.
It could be. Who knows. What I do know is that Chrome & ChromeOS have got some of the most diligent security-minded hackers in the world working on them. I get occasional updates on the stuff they are doing to make Chrome secure. Things like the sandbox, SPDY, HSTS and more. This sort of thing will just motivate them to work smarter & harder.
I get your point. However, this isn't a fix, it is, according to the article, a volunerability that allows "remote execution of malicious code". People who know WebGL better than I do would probably know more about what specific exploits it facilitates.
It was tongue-in-cheek. I think it's silly that Microsoft adds "_s" to a lot of the standard functions; it makes porting more difficult.
Of course, it was sillier not to write "strcpy" as strcpy(dest,maxSize,src) from the beginning. And "memcpy" as memcpy(dest,maxSize,count,src). But I guess whoever wrote those weren't really expecting them to be one of the most frequently used functions in computer programming history...
This is a _good_ thing. Graphics drivers are so ridiculously terrible that the pressure to fix them needs to come from somewhere. IMVU's top reported crash is access violations inside of Direct3D. Mass-market 3D is a pain in the ass because of this situation, and Intel, Microsoft, nvidia, and amd aren't doing anything about it.
On the other hand, if it's ever going to happen, it will probably take a few embarassing public incidents to make the vendors change their priorities.