Friday 16 March 2012

$253 million worth music files compromised in Sony hack

The hack on Sony's widely used PlayStation Network was widely reported, last year and it managed to join the ranks of some of the other big headlines, last year. Sure enough, the PSN hack compromised the personal details of some 77 million registered online gamers and the hackers also gained access to credit card data. But, what followed close on the heels of the PSN hack went seemingly unreported, until now. The Daily Mail reports that almost around the same time as the PSN hack, Sony suffered yet another breach to its long, distinguished music catalogue, which contains titles from some noted artists, like Jimi Hendrix, Paul Simon, Olly Murs, the Foo Fighters and Avril Lavigne, all of which were compromised. However, the shocker that the report gave was that the hackers also managed to break into the entire roster of Michael Jackson’s back catalog of published music, as well as previously unreleased tracks. Sony, reportedly had purchased the Jackson catalog in 2010, a year after the singing legend's demise, after paying £250million for the seven-year rights to the songs.

The report further reveals that a total of 50,000 songs are known to have been compromised, making this the biggest hack in the music industry, so far. The report pegs the entire loss to be around $253 million. After discovering the hack, Sony informed the Jackson estate, but did not make the incident public, since no customer data had been compromised. "The contract with Jackson's estate also allowed them to release 10 new albums, including material from studio sessions produced during the making of some of the star's biggest albums. The singer, who died in June 2009 at the age of 50, had recorded unreleased duets with artists ranging from the late Freddie Mercury and Black Eyed Peas singer Will.i.am," further added the report.

Reportedly, Sony discovered that its music catalog was broken into during routine checking of social networking sites, Jackson fan sites and hacking forums. The reported quoted a source close to the company as saying that all that the company purcased from the Jackson estate was broked into by the hackers. Sony, then checked their systems only to discover the breach, with a degree of sophistication. Sony, reportedly then "identified the weakness and plugged the gap."

source

Wednesday 7 March 2012

Yahoo to sue Facebook ?

Facebook has a new $5 billion credit deal, doubling a previous $2.5 billion credit agreement as it prepares for an initial public offering.

The social networking company based in Menlo Park, Calif., said in a regulatory filing Wednesday that it has also signed a $3 billion bridge-loan facility to pay taxes on restricted stock units in connection with its IPO. Those are employee shares that will vest when the company goes public.

Facebook, which has 845 million monthly active users by its own calculations, also disclosed that fake or duplicate accounts may represent about 5 percent to 6 percent of that figure.

And it gave some new revenue insights by geography. Facebook said in the filing that it is seeing rapid revenue growth in Brazil and in India. The company had 27 million monthly users in Brazil, up nearly fourfold from a year earlier but accounting for only 30 percent to 40 percent of the country's Internet-connected population. Its presence in China, where Facebook access is restricted, is nearly nonexistent.

Facebook's recent patent spat with Yahoo is also in the updated filing. Yahoo Inc. sent a letter to Facebook on Feb. 27 alleging copyright infringement and threatening to sue. Facebook said in the filing that it is still investigating Yahoo's claims and that Yahoo has yet to file a lawsuit.

source

Monday 5 March 2012

150+ Sites Hacked by Pak Cyber Pyrates #opFreedomPalestine

Recently it was found that 150+ websites were defaced by Pak Cyber Pyrates in the name of

--> #opFreedomPalestine. All the websites show the same page with a video stating reason for it as killings of Innocent people.

Here is the link to video which was posted on the websites http://www.youtube.com/watch?feature=player_embedded&v=7VKwtxeYiFs.

The list of websites are:-

http://www.freewebhostx2.com/root2.html

http://freewebhosting360.com/

http://myfreewebhost.net/index.html

http://columbiadubrin.com/

http://dwblower.net/index.html

http://russlk-book.com/

http://shop4us.freewebhostx2.com/

http://www.extremely-hot.com/

http://www.gimme-gimme.info/

http://www.intecmechanical.net/

http://www.millionaire-maker-matrix.com/

http://www.myfreesafelist.com/

http://www.mysupersafelist.com/

http://www.mysupersolos.com/

http://www.profit-helper.com/

http://www.promo-pal.com/

http://www.casheureka.com/

http://www.cashinhandtraffic.com/

http://www.daviscookeproperties.com.au/

http://www.evieb.com/

http://www.keswickislandguesthouse.com.au/

http://www.myfreesafelist.com/

http://www.newsfromjules.com/

http://www.supersolosandcash.com/

http://www.whitsundaymobilemarketing.com.au/

http://www.adjockeys.com/

http://www.adpirate.net/

http://www.dynamite-safelist.com/

http://www.explosivesafelist.com/

http://www.expresssafelist.com/

http://www.the-traffic-secret.com/

http://www.ultimate-safelist.com/

http://www.explosivesafelist.com/

http://www.speedwaysafelist.com/

http://www.themailbagsafelist.com/

http://www.trafficprolist.com/

http://www.bestbeatmaker.com/

http://www.listbuildingtragedies.com/

http://www.media-traffic-meltdown-bonus.com/

http://www.onlineshedplans.com/

http://www.bucketsofbanners.com/

http://www.electriccigaretteshop.com/

http://www.expertsstrategiesrevealed.com/

http://www.holidaysbythesea.co.uk/

http://www.internetshoppingcentre.com/

http://www.makeyourfirstebook.com/

http://www.rainingtraffic.com/

http://www.responderseries.com/

http://www.skegnessholidaycaravans.com/

http://www.splashpagemaker.com/

http://www.steveayling.com/

http://www.teblaster.com/

http://www.thebigpinkc.com/

http://www.trafficalternative.com/

http://www.trafficdodgems.com/

http://www.whatisthispaymentfor.com/

http://www.wishafriend.com/

http://www.electriccigaretteshop.co.uk/

http://www.expertsstrategiesrevealed.com/

http://www.holidaybythesea.co.uk/

http://www.holidaysbythesea.co.uk/

http://www.rainingtraffic.com/

http://www.responderseries.com/

http://www.teblaster.com/

http://www.tetips.com/

http://www.thebaddestduckonthe.net/

http://www.trafficattheraces.com/

http://www.trafficdodgems.com/

http://www.whatisatrafficexchange.com/

http://www.wishafriend.com/

http://www.1013.instantmultiplier.com/

http://www.12.instantmultiplier.com/

http://www.1280.instantmultiplier.com/

http://www.15.instantmultiplier.com/

http://www.1513.instantmultiplier.com/

http://www.1555.viralpiggybank.com/

http://www.206.instantmultiplier.com/

http://www.375.madmultiplier.com/

http://www.529.instantmultiplier.com/

http://www.621.madmultiplier.com/

http://www.653.instantmultiplier.com/

http://www.68.instantmultiplier.com/

http://www.7.madmultiplier.com/

http://www.724.instantmultiplier.com/

http://www.816.instantmultiplier.com/

http://www.82.madmultiplier.com/

http://www.98.madmultiplier.com/

http://www.acestraffic.com/

http://www.become.com/

http://www.exava.com/

http://www.list-adexchange.com/

http://www.listrecruiter.com/

http://www.madmultiplier.com/

http://www.monstertrafficstore.com/

http://www.my-freebie-zone.com/

http://www.printers.bizrate.com/

http://www.traffic-casino.com/

http://www.traffic-supreme.com/

http://www.viral-trafficmaster.com/

http://www.viralpiggybank.com/

http://www.acestraffic.com/

http://www.calibex.com/

http://www.dynamitelist.com/

http://www.ebay.com/

http://www.iciciband.com/

http://www.instantmultiplier.com/

http://www.ljmods.acestraffic.com/

http://www.my-freebie-zone.com/

http://www.nextag.com/

http://www.totalprotect.com/

http://www.traffic-casino.com/

http://www.viralpiggybank.com/

http://www.warfaretraffic.com/

http://www.bradwebb.net/

http://www.jayepause.com/

http://www.jvbigbreak.com/

http://www.listbuildingemails.com/

http://www.myreikitouch.com/

http://www.solocells.com/

http://www.state-of-the-art-mailer.com/

http://www.state-of-the-art-network.com/

http://www.stateoftheartsites.com/

http://www.getcontestburnernow.com/

http://www.myreikitouch.com/

http://www.state-of-the-art-mailer.com/

http://www.state-of-the-art-sites.com/

http://www.ns2.stridehost.com/

http://www.objectalpha.com/

http://www.africanistacoffee.com/

http://www.oshibori-towel.com/

http://www.anewmeministry.com/

http://www.oshibori-us.com/

http://www.aztest.com/

http://www.oshibori-us.oshibori-towel.com/

http://www.billing.stridehost.com/

http://www.restaurantrefreshingtowels.com/

http://www.britlandcattery.us/

http://www.rft3.oshibori-towel.com/

http://www.chiboob.com/

http://www.sample4.com/

http://www.consoleadmin.com/

http://www.snipeunlimited.com/

http://www.gogenics.com/

http://www.stridehost.com/

http://www.janosandsonconstruction.com/

http://www.uswomenconnect.org/

http://www.katiemckinney.com/

http://www.wpguru.stridehost.com/

http://www.mypcclub.org/

http://www.zockystudios.com/

http://www.ns1.stridehost.com/

http://9211news.com/

Indian Cyber Hunters have recently hacked the following domains:

http://mymcdonaldscoupons.ca/
http://couponsforwalmart.ca/
http://amazoncoupon.ca/
http://whichmobile.ca/
http://darkknightrisesrumors.com/
http://iraqinewsdinar.com/

claiming that they are back in action;cyber Hunters have targeted a handful of websites defacing it.
On visiting the website you would find the above image with the message of Hacked.

50+ Indian Sites Hacked By P@KhTuN~72 & Sizzling Soul

Recent post found showed such pictures of http://windshieldprofessionals.in/ getting hacked by P@KhTuN~72 & Sizzling Soul as reported on mirror --> http://www.z-z0ne.tk/defacements/?id=9304.

Typical post which reflected various sites that got hacked :-

Mass Deface 50+ Indian Sites Hacked By P@KhTuN~72 & Sizzling Soul

Its March... & after few days ......

P@KhTuN~72 's Birthday........ I mean my Birthday ......

A Birthday Gift for Indians ...lolzzzz

Video Link:

http://www.youtube.com/watch?v=v7IwOzxlQho

Mirrors:

http://www.z-z0ne.tk/defacements/?id=9304

http://www.z-z0ne.tk/defacements/?id=9221

http://www.z-z0ne.tk/defacements/?id=9302

http://www.z-z0ne.tk/defacements/?id=9301

http://www.z-z0ne.tk/defacements/?id=9297

http://www.z-z0ne.tk/defacements/?id=9222

http://www.z-z0ne.tk/defacements/?id=9225

http://www.z-z0ne.tk/defacements/?id=9231

http://www.z-z0ne.tk/defacements/?id=9216

http://www.z-z0ne.tk/defacements/?id=9296

http://www.z-z0ne.tk/defacements/?id=9293

http://www.z-z0ne.tk/defacements/?id=9292

http://www.z-z0ne.tk/defacements/?id=9259

http://www.z-z0ne.tk/defacements/?id=9257

http://www.z-z0ne.tk/defacements/?id=9253

http://www.z-z0ne.tk/defacements/?id=9248

http://www.z-z0ne.tk/defacements/?id=9247

http://www.z-z0ne.tk/defacements/?id=9244

http://www.z-z0ne.tk/defacements/?id=9243

http://www.z-z0ne.tk/defacements/?id=9239

http://www.z-z0ne.tk/defacements/?id=9236

http://www.z-z0ne.tk/defacements/?id=9235

http://www.z-z0ne.tk/defacements/?id=9233

http://www.z-z0ne.tk/defacements/?id=9232

http://www.z-z0ne.tk/defacements/?id=9227

http://www.z-z0ne.tk/defacements/?id=9226

http://www.z-z0ne.tk/defacements/?id=9224

http://www.z-z0ne.tk/defacements/?id=9223

http://www.z-z0ne.tk/defacements/?id=9217

http://www.z-z0ne.tk/defacements/?id=9299

http://www.z-z0ne.tk/defacements/?id=9300

http://www.z-z0ne.tk/defacements/?id=9290

http://www.z-z0ne.tk/defacements/?id=9291

http://www.z-z0ne.tk/defacements/?id=9294

http://www.z-z0ne.tk/defacements/?id=9295

http://www.z-z0ne.tk/defacements/?id=9298

http://www.z-z0ne.tk/defacements/?id=9251

http://www.z-z0ne.tk/defacements/?id=9252

http://www.z-z0ne.tk/defacements/?id=9256

http://www.z-z0ne.tk/defacements/?id=9258

http://www.z-z0ne.tk/defacements/?id=9289

http://www.z-z0ne.tk/defacements/?id=9242

http://www.z-z0ne.tk/defacements/?id=9245

http://www.z-z0ne.tk/defacements/?id=9246

http://www.z-z0ne.tk/defacements/?id=9249

http://www.z-z0ne.tk/defacements/?id=9250

http://www.z-z0ne.tk/defacements/?id=9234

http://www.z-z0ne.tk/defacements/?id=9237

http://www.z-z0ne.tk/defacements/?id=9238

http://www.z-z0ne.tk/defacements/?id=9240

http://www.z-z0ne.tk/defacements/?id=9241

http://www.z-z0ne.tk/defacements/?id=9218

http://www.z-z0ne.tk/defacements/?id=9220

http://www.z-z0ne.tk/defacements/?id=9222

http://www.z-z0ne.tk/defacements/?id=9225

http://www.z-z0ne.tk/defacements/?id=9231

http://www.z-z0ne.tk/defacements/?id=9216

It seems that this hacker groups are getting more vigorous day by day as the frequency of the hacks and the sophistication of the tools used is increasingly.

Saturday 3 March 2012

Wikileaks:Journalists Paid to Private Intelligence Firm With Info

Journalists were paid to provide information to the intelligence firm Stratfor, according to the latest tranche of company emails leaked by WikiLeaks.

The firm courted media outlets in almost 50 countries, according to the documents.

Stratfor largely had significant contacts in Eastern Europe and the former Soviet Union. In 2009 and 2010, the firm signed contracts with the Azerbaijan Press Agency, Serbia’s Politika and B92, HotNews in Romania, The Baltic Times,Georgia’s The Messenger, and the Georgia Times, Moldova’s Jurnal Trust Media, Macedonia’sMakFax, Poland’s Warsaw Business Journal, the European Union’s EurActiv, Kyrgyzstan’s The Central Times of Asia, and more.

Among the contributors was the English-language newspaper Kyiv Post, an OCCRP partner. Editor Brian Bonner says his newspaper provided the Texas-based firm with information and sometimes published their analysis reports on their site.

“Stratfor, while it bills itself exotically as a private strategic intelligence service, is nothing more from what I can see than a paid subscription service that employs a worldwide network of contributors, analysts, informants that collect open-source information and analyze it for their paying customers, which include businesses, governments and think tanks,” he wrote in an email to OCCRP.

Bonner maintains that working with Stratfor does not run contrary to journalistic norms.

“If Stratfor did anything illegal or unethical, I don't know about it -- and it would cause us to review our partnership with them,” he wrote.

Bonner said the information his journalists provided “valuable on-the-ground information, but nothing that any good, well-connected journalist working in Ukraine didn't know or couldn't discover.”

Stratfor’s agreements with media in so many countries were a big cause for concern, said WikiLeaks when they released the list on February 27.

“While it is acceptable for journalists to swap information or be paid by other media organisations, because Stratfor is a private intelligence organisation that services governments and private clients these relationships are corrupt or corrupting.”

But Jo Jakobsen, a professor at the Norwegian University of Science and Technology who has spent much of his career studying Risk Analysis firms, says risk analysis firms of all stripes, especially those which are not focused on one country or region, “get sources on the ground” including journalists.

“The impression you get from Wikileaks is that this Stratfor firm does a lot of shady things, corruption, and all that, but I don’t really see that, because paying sources on the ground is not a matter of corruption, necessarily. Not that I know all the details, but newspapers do that as well, as a matter of necessity.”

He says Stratfor, which he characterized as a medium to small sized company, portrays itself as a semi-CIA type intelligence agency, but it is not.

“If you’re going to be a CIA type organization, it requires a lot of resources, and Stratfor just doesn’t have a lot of resources. As far as I understand, the attack on Stratfor’s computer system, was really down to Stratfor not implementing standard ordinary protection, because it cost too much.”

One problem journalists face working for private intelligence firms is that it is not clear who the firms themselves are working for. They may be providing data for predatory businessmen, corrupt officials or even organized crime groups.

Risk analysis and business intelligence firms often court journalists, says Brant Houston, the the John S. and James L. Knight Foundation Chair in Investigative and Enterprise Reporting and former executive director of Investigative Reporters and Editors (IRE).

“There’s no question that intelligence firms are interested in good reporters because they work quickly, they track things down very quickly and given what they’re normally paid they usually don’t cost that much if they have the potential to hire them,” he told OCCRP.

Houston said the problem lies in the lack of a sustainable business model in which journalists can be paid decently for their work.

“Journalists have been underpaid and undervalued for the work that they do, particularly investigative journalists, there comes to be a point where they have to work for other people to make ends meet.”

But, he says, crossing over into the intelligence industry can cost a publication’s credibility or strain relationships with governments. If a newspaper choses to do it, they must be transparent and should have firewalls or other means of separating the journalism from the corporate intelligence, he counsels.

“And in the end the public will decide how satisfied they are with that. And the second question is will the government of the country that you’re in be satisfied or will they see you as someone working for another government’s intelligence organization.”

Many organizations spurned Statfor’s offers. According to the documents, Stratfor tried but could not find partners in Nigeria, Kenya and South Africa, and they had a difficult time finding partners inLatin America. Only Colombia’s El Espectador signed a contract in 2009. Brazil’s O Tempo,Argentina’s La Nacion, and Peru’s La Republica were not interested.

source

Anonymous, Decentralized and Uncensored File-Sharing is Booming

The file-sharing landscape is slowly adjusting in response to the continued push for more anti-piracy tools, the final Pirate Bay verdict, and the raids and arrests in the Megaupload case. Faced with uncertainty and drastic changes at file-sharing sites, many users are searching for secure, private and uncensored file-sharing clients. Despite the image its name suggests, RetroShare is one such future-proof client.

The avalanche of negative file-sharing news over the past weeks hasn’t gone unnoticed to users and site operators.

From SOPA to Megaupload, there is a growing uncertainly about the future of sharing.

While many BitTorrent sites and cyberlockers continue to operate as usual, there is a growing group of users who are expanding their horizons to see what other means of sharing are available if the worst case scenario becomes reality.

Anonymous, decentralized and uncensored are the key and most sought-after features. For some this means signing up with a VPN to make their BitTorrent sharing more private, but new clients are also generating interest.

Earlier this month we wrote about Tribler, a decentralized BitTorrent client that makes torrent sites obsolete. We’ve covered Tribler for more than half a decade, but it was only after our most recent post that it really took off with more than a hundred thousanddownloads in a few days.

But there are more file-sharing tools that are specifically built to withstand outside attacks. Some even add anonymity into the mix. RetroShare is such a private and uncensored file-sharing client, and the developers have also noticed a significant boom in users recently.

The RetroShare network allows people to create a private and encrypted file-sharing network. Users add friends by exchanging PGP certificates with people they trust. All the communication is encrypted using OpenSSL and files that are downloaded from strangers always go through a trusted friend.

In other words, it’s a true Darknet and virtually impossible to monitor by outsiders.

RetroShare founder DrBob told us that while the software has been around since 2006, all of a sudden there’s been a surge in downloads. “The interest in RetroShare has massively shot up over the last two months,” he said.

“In January our downloads tripled when interest in SOPA was at its peak. It more than doubled again in February, when cyberlockers disabled sharing or shut down entirely. At the moment we are getting 10 times more downloads than in December 2011.”

RetroShare’s downloads at Sourceforge

RetroShare’s founder believes that there is an increased need for security, privacy and freedom among file-sharers, features that are at the core of his application.

“RetroShare is about creating a private space on the Internet. A social collaboration network where you can share anything you want. A space that is free from the prying eyes of governments, corporations and advertisers. This is vitally important as our freedom on the Internet is under increasing threat,” DrBob told TorrentFreak.

“RetroShare is free from censorship: like Facebook banning ‘obscene’ breast-feeding photographs. A network that allows you to use any pseudonym, without insisting on knowing your real name. A network where you will not face the threat of jail, or being banned from entry into a country for an innocent tweet.”

Downloading with RetroShare

It’s impossible to accurately predict what file-sharing will look like 5 years from now. But, a safe assumption is that anonymity will play a more central role than it ever has.

Recent crackdowns have made operators of central file-sharing sites and services more cautious of copyright infringement. Some even went as far as shutting down voluntarily, like BTjunkie.

In the long run this might drive more casual downloaders to legitimate alternatives, if these are available. Those who keep on sharing could move to smaller communities, darknets, and anonymous connections.

source

Friday 2 March 2012

NASA hacked, laptop with Space Station codes disappears

In space, no one can hear you hack.

NASA issued a report this week detailing startling breaches that suggest a universe of trouble in the agency's security department.

Last year, NASA's Pasadena-based Jet Propulsion Laboratory was attacked by hackers with an IP addresses originating from China. Intruders had full control of the networks, the report revealed, accessing NASA employee credentials, and opening sensitive files with the ability to alter, copy and delete.

The report went on to disclose that NASA was the target of 47 such cyberattacks -- sophisticated, well organized, and well funded -- in 2011. But this is just the tip of the meteoroid.

In total, the space agency suffered 5,408 information security incidents "that resulted in the installation of malicious software on or unauthorized access to its systems" over the course of two years, CNN reports.

During that time nearly 50 high-tech mobile devices were also lost or stolen. One notable item to disappear was an unencrypted laptop containing the command and control code algorithms used to operate the International Space Station (ISS).

In the report, named “NASA Cybersecurity: An Examination of the Agency’s Information Security,” the agency’s inspector general, Paul Martin writes that intrusions "affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million."

Martin testified in front of Congress on Wednesday speaking of NASA's inability to monitor lost mobile devices as an issue of national security, noting that until the agency implements a comprehensive encryption solution, highly sensitive information will remain vulnerable.

source

Chrome harder target for attackers !

RSA CONFERENCE 2012 -- San Francisco, Calif. -- The major browsers have all made solid strides in security in the past few years, but Chrome's sandbox makes Google's browser a harder target for attackers to exploit with malicious code, four researchers said here in a presentation yesterday.

The group of researchers -- all current or former employees of security consultancy Accuvant -- gave attendees an in-depth tour of their results at the conference, which were published late last year. Some controversy has surrounded the security comparison because Google -- the maker of the Chrome browser -- funded the study.

Microsoft's Internet Explorer and Google's Chrome's countermeasures made both browsers more secure on the metrics used by Accuvant, with Google's browser edging out Microsoft's in sandboxing technology, Shawn Moyer, practice manager for Accuvant, told conference attendees.

"We focused heavily on exploitation mitigation in this paper," Moyer said. "We accepted that users will click on things and the browser will be exploited, but if you have something that you can use to contain the hack, you are going to raise the bar for attackers."

The survey has been criticized by NSS Labs, a security testing firm that came to a different conclusion in a paper last year: Microsoft's SmartScreen URL reputation system helped Internet Explorer catch 96 percent of all malicious Web sites. Google's Chrome came in a distant second place, catching about 13 percent of websites.

At the RSA Conference, the researchers repeatedly stressed that their paper and methods are open. Anyone can review and redo the testing, Moyer argued. Moreover, they also pointed out that they could not replicate NSS Labs' findings. They found all three browsers were equally poor at catching malicious pages.

Chrome distanced itself from other browsers mainly because of its sandbox technology -- a virtual playpen in which the browser runs but cannot impact other applications' data or the operating system. Internet Explorer has some sandboxing, but not as completely as Chrome, the researchers said. A strong sandbox helps keep the operating systems secure because a malicious program that runs inside the sandbox cannot access any system resources outside of the virtual machine.

Sandboxes are important because they help limit or prevent damage when a user inadvertently runs malicious code. "It's the difference between closing a tab versus reinstalling the operating system" because of malicious code, said Paul Mehta, an Accuvant researcher and presenter.

Patching is another area where Google excelled. The researchers analyzed the disclosure and patch timelines of vulnerabilities patched in each browser and found that Google took the shortest amount of time to patch -- 53 days. Mozilla came in second at 158 days and Microsoft took 214 days. Data on vulnerability disclosure was scarce, the researchers said because -- especially in Microsoft's case -- a complete timeline was generally not available.

Google and Firefox have an advantage in patching because they are standalone browsers, while Microsoft has to deal with the tight integration of Internet Explorer with the Windows operating system, said Chris Valasek, senior research scientist with software security firm Coverity. Valasek has originally worked on the project while employed at Accuvant.

"Internet Explorer is quite ingrained into the Windows operating system," Valasek said. "Therefore there is a lot more QA that has to be done for the browser. You don't want to fix a vulnerability and break stability with the entire operating system."

While Google Chrome does well with its strong sandbox and patching, Microsoft has done a solid job of hardening Internet Explorer against a common type of attack that can bypass two major operating-system countermeasure: data-execution protection and address space layout randomization. The attack, known as JIT spraying, uses the just-in-time compilation of a runtime language such as Javascript to circumvent an operating system's defenses.

It's such as popular technique that every piece of software should implement countermeasures. Microsoft created the most complete set of countermeasures in Internet Explorer, with Google having a subset of preventative measures, the researchers said.

"A big push right now is to harden software against exploits so that the cost of exploitation is increased," Mehta said. "Software that does not implement JIT hardening actually decreases the cost of exploitation."

In the end, if given a critical flaw that affected all three browsers, the researchers would likely attempt to exploit it first on Firefox because its easiest.

"If we had the same vulnerability in every browser, we would not pick Chrome to exploit," Valasek said.

source