Can a computer be infected when it accesses a malicious web page?
Why is not a web browser 100% safe? What web resources, such as Java Script, Flash or a HTTP connection, can infect a computer?
-
It depends on which browser you are talking about..– PacerierCommented Apr 29, 2012 at 0:27
Add a comment
|
4 Answers
Yes you can. Usually a proper Anti-Virus program will intercept these attempts though. Of course, browsers don't have "built in" backdoors/vulnerabilities but they can exist nevertheless. When such a vulnerability is found by a hacker or other malicious user, that vulnerability can be exploited to infect the visitor of the web page.
If something could be made 100% safe, there wouldn't be any need of Anti-Virus programs at all. There's always some creative solution that can be found to infect people anyway and such an exploit can only be patched after it has been discovered.
It's like typing an entire book on your keyboard, without checking for typos. You will only discover your errors when you start reading/reviewing whatever you typed. Reading in this case, would be to just "use" the browser.
Most exploits are in 3rd party plugins (such as Flash, PDF reader plugins, media, etc.) so the browser maintainers don't have full control over what is run in their browser. It's like having a house built by 4 different contractors who don't know exactly what the others are working on or how they are doing it...
-
I love the implication that metaphor has; "code is written start to finish without being read through" :P Commented Feb 12, 2011 at 21:22
-
@RJFalconer It's true right ;)? At least, you won't find most of the bugs until you've executed it...– PylsaCommented Feb 12, 2011 at 21:23
-
I would like to know some old Firefox exploits and understand– SquallCommented Feb 13, 2011 at 22:23
-
@Squall there are several exploits that were made public. Try googling for "exploit plugin add-on firefox"– PylsaCommented Feb 15, 2011 at 13:02
-
3I disagree. 99.99% of the time is the user downloading and executing some rubbish. And no, an antivirus cannot intercept unknown exploits.– gd1Commented Jul 16, 2011 at 21:36
Squall,
Software is intrinsically difficult to get right. For a glimpse at why, I recommend an article by Cem Kaner, an expert software tester. The article is called "The impossibility of complete testing." Also read his article on "Software Negligence and Testing Coverage"
A short answer is that software is complicated, demands perfection, and humans are imperfect. With limited resources, competition, and limited knowledge, a lot of software developers do the best they can. Those who are careful to produce even more secure software will never be able to compete--their products will be more expensive, late to market, have fewer features, etc. On the other hand, security is becoming an important customer consideration; while customers (and most developers) can't tell what's secure by looking at it, there are experts, analysts, and historical trends that teach us about security, and help us make better decisions about the products we buy and use.
Sometimes the more secure products will be more expensive, or lack other qualities we desire beyond just cost (features, usability, performance, etc).
In the world of software security, we generally accept that if an adversary has enough funding, motiviation, and/or resources, nothing is truly secure.
Security costs money, and it's a tradeoff.
answered Jul 16, 2011 at 21:34
Yes, those are called "drive by infections".
The term “drive-by infection” describes the process of malware (malicious software running harmful activities against users' wishes) infecting a user’s computer merely by visiting a website. Affected websites often contain legitimate offers, but have been compromised by hackers introducing malicious code to the website to then distribute malware. Just surfing to an affected website is sufficient to infect a computer.
Why a web browser is not 100% safe? Prime example here
See a video of a drive-by infection in action here:
I was sure that today's every security holes were fixed. I was wrong.
Just as a proof you can read Microsoft Security Bulletins. On the left tab there is Security Bulletins by years where you can find IE and Edge patches. You can find that on each, or almost each months, either the recent ones, there is patches for IE and/or Edge. I'm sure there is equivalent bulletins for other browsers (with more or less patches).
