I've heard that websites that download malicious data onto the user's computer without their consent do exist, but is this possible on an iMac as well as Windows and other operating systems? How about iPhones?
Basically, can websites download content onto your Apple device without your consent? I've heard that Apple devices are much more secure than Windows and Android and that they aren't as widely targeted.
The OS part is mostly irrelevant here. A web page is built from:
The browser by itself downloads the main HTML page and all its declared components and then executes the scripts. Things can become rather complex at this moment, because the scripts can do many things:
Normally, the browser cannot by itself execute something directly at the OS level, but everything is kept at the browser level in a kind of sandbox.
Additionally, some particular content are not directly executed by the browser but require a plugin. Flash video or games are typical of that
Thus there are different kinds of threats:
You are just right in one part. Apple OS is less used than Windows on desktops/laptops or Android on smartphones, and Apple developer environments are much more expensive than Windows or Android development kits (you can get the latter for free). That is a reason why you can find more malware targeted at Windows desktops/laptops than at Apple, Linux, or BSD systems, because of the cost/gain ratio from the malware developer. But I would not bet a coin that Apple system is so robust that it contains no vulnerabilities. Because any addon can come with its own vulnerabilities and I do not think that any iOS app has been thoroughly reviewed on a security point of view before being added to the App Store.
As it is signed by its developer, an app should not carry a malicious payload, but it can simply contain a vulnerability that could later be exploited by a malicious site... Slightly more complex, but still possible.
As it is signed by its developer, an app should not carry a malicious payload well nothing should contain a malicious payload.
Commented
May 29, 2017 at 20:52
In certain cases, yes it can, what it is usually called is a "drive by download": JavaScript exploits, Java exploits (or even you approving the download), and other exploits can indeed infect your computer, if you believe a website is risky you can download the NoScript extension or disable active plugins like Java or JavaScript entirely.
But please know that attacks where a malicious website can download malware onto your computer without your input [downloading a file. approving a prompt, etc], are very rare and will require a zero day exploit which is very expensive. This is why you are often asked to keep your software up to date, because any exploit found in a certain version can only be fixed in a later version, it isn't going anywhere.
The point of @leethax is technically almost OK except the fact that they are not very rare at all
Such infections exploitations are driven by what is called Exploit Packs // Exploit Kits which are basically toolkits that help exploiting client side vulnerabilities (this goes from the browser to java passing by flash or whatever client side stuff)
Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.
Characteristics of Exploit Kits
A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.
Some exploit kits offer capabilities for delivering payload that remotely controls the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.
First, no website can download content onto any computer. From the website's perspective, the content is being uploaded to you, not downloaded. If a file is going from a website to you, then either you are downloading it or the website is uploading it.
Second, any website can get your computer to download arbitrary content. Your operating system is irrelevant, because it's necessary and desirable functionality. That's what a website is, basically. If I want to put an image on your computer, I just include it in the web page I'm serving to you, and your computer will download it so that it can display it. But there's no reason to worry about that. It's executing an arbitrary file that's a security risk, not just downloading it.
Yes, if and only if there is an exploitable vulnerability in the browser or OS, which there frequently is. For example see https://www.cvedetails.com/vulnerability-list.php?vendor_id=49&product_id=2935&order=3, all the ones that say "execute arbitrary code".
I'll answer this question from a rather theoretical perspective.
"I've heard that websites that download malicious data onto the user's computer without their consent do exist, but is this possible on an iMac[...]?"
Yes. As others pointed out, this is independent of the operating system.
A web page contains or refers to — and thus causes the browser to load — data in various formats. As Serge described, the first thing loaded is plain HTML. It may have modern extensions like style sheets. The HTML may embed or refer to media of various kinds like images, sound files, videos, scripts or flash animations which may be downloaded and opened (i.e. decoded and then played or displayed) by the browser without any user interaction beyond opening the original page.
The problem is that in principle any decoder for a data format, including plain HTML, may have bugs which can be exploited. (1) This includes data which is normally totally "passive" like images (for an example with JPEG images see this Microsoft security bulletin from 2004). A trivial example from 20 years ago was a (formally correct) GIF file which expanded to a huge bitmap. An attempt to display it in a browser of viewer simply crashed the computer, which is a blunt denial of service attack. For an exploit the data presented on the page would be specially crafted to produce a misbehavior of the specific decoder which eventually allows the attacker to place executable code in the computer's memory which will then be executed. The original code can be small, say a jump to an operating system routine starting a shell.
The obvious mitigation strategy is to disable as many data formats as possible in the browser. No videos, no sound, no images, no scripting.
It may be worthwhile to repeat the mantra of the German blogger and security expert, Felix von Leitner. He is adamant that virus scanners only offer fake protection (he calls them snake oil). One reason is that they are never perfect and thus need a responsible user anyway. The second reason, relevant here, is that the virus scanner itself is a huge attack surface! Think about it. Modern scanners open and parse a dazzling plethora of file formats — the very process we have established as the main attack target. Felix lately linked to a project by Tavis Ormandy. He wrote a framework to load and run Windows DLLs under Linux. His motivation, as he writes in the README, was to fuzz test the MS security core engine:
MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2016, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine.
The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers, full system emulators for various architectures and interpreters for various languages. All of this code is accessible to remote attackers.
The reason to mention this here is that even if your browser handles everything well, your anti virus program may, ironically, betray you, because it opens all files for you.
