I can see the following scenario: download an .exe and run it. You’re asking for trouble on that one. After all, a program that you install and run has complete access to your computer’s resources.
But… If I just use the browser and click, click, click… it appears that vbscript/jscript/asp etc. can have the same powerful access that a locally run .exe does. Is that true? If so, that’s crazy: what was Bill Gates thinking?
You might guess where this is coming from. I recently got virus. I’m running AVG free (not sure if that’s great protection for this type of problem) and the latest Firefox. Firefox seems to have the correct security settings.
Here is the best quote to describe the internet which is similar to your description. It isn’t a dumb question but it is impossible to answer without more details. All software is insecure to some degree and there are some very smart people that try to study and harness its weaknesses for their own personal gain or thrill. I am head of IT for a pharmaceutical factory which is heavily protected. It is all I can do to keep up with the latest threats. Windows isn’t especially insecure especially these days. It is just popular which makes it the most common target. You should see what happens when the corporate Unix servers get taken down which happened recently and that software is supposed to be as mature and stable as it comes. It is all just one big logical string of ones and zeros at the end some people enjoy defeating it.
Typically, the scripting languages aren’t meant to be that powerful, but they always have little bugs that can be exploited for increased access to your computer. Hackers and developers/security researchers are engaged in an eternal battle to find and patch these.
The more software you use – Firefox, Flash, Javascript, Java, ActiveX, etc., the more potential bugs there are and thus the more likely somebody will eventually exploit an unpatched one that your virus scanner won’t detect.
IE8 under Windows Vista/7 under Protected Mode is probably more secure than Firefox, actually, despite what the hype would have you believe. That said, Firefox bugs are typically fixed much more quickly than IE ones; it just lacks the sandboxing that protected mode provides.
Part of it is also the web was originally designed to be pretty much benign. It was text. For awhile it wasn’t sure whether “gopher” or the WWW would win out
As the web developed it became a bit of a paradox. The primary function of website is still to give information and to have you read it. But slowly, year by year, each website became more and more interactive.
With each interaction you have to give others control of a piece of your computer in order to exchange information. The more programs and information you exchange the greater likelyhood there is a hole somewhere.
People don’t know about it 'cause no one looked for it.
So some people start looking for “holes” in programs that exchange info.
Now you’re probably thinking “Who would do that”? But it’s not that quite simple. To those people it is a challange. Just like putting together a jigsaw is or solving a crossword is? To them they like to take apart a program see how it works and see what flaws (if any) they can exploit.
With each explotation, the desingers of programs can fix their programs to stop future attacks.
Another part of it is quick downloads. Ever hear of anyone getting a virus on dialup now-a-days. Oh yes, it can happen but it’s not likely to. Because part of putting viruses and trojans on computer depends on quickness. If you hit a site and then it can download something very quickly without you noticing. On a dialup connection you’re gonna notice something downloading. On a 10mb download it happens so quick if you do notice, it’s like a hiccup.
Ask yourself how many programs on my computer do I have that can exchange info.
Right now I have three web browsers, an email program, an FTP download, a torrent download application. There’s six chances right there for explotatation. And most people run far many more applications that exchange info than that.
One of the older examples is the buffer overflow in jpg images. Due to a bug in how the jpg image file is processed, if you set certain bytes to certain values it would cause code placed in the comments section of the file to get executed. This was fixed a long time ago, but many of the viruses use similar methods.