How can I can get a virus just by viewing a site or opening an email? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions about general computing hardware and software on Stack Overflow. You can edit the question so it’s on-topic for Stack Overflow.

Closed 8 years ago.

Improve this question

Everyone know's that some sites can harm your computer just by looking at them, or some emails can send mail to all of your friends or collect information about you just by reading them.

How is this possible? Every site is just plain HTML, CSS and JS , that can't make any permanent changes on the computer (except cookies, but that can't harm you, can it?) so how could I get a virus?

If i click an ad, How do I get a virus? downloading link for autorun program?

How are these things done? what programming language?

Answer 1

In general, the way these vectors work is by exploiting flaws in the software used to read/render the HTML, CSS, and JavaScript. In a perfect world with perfectly secure browsers/email programs with perfect sandboxes, then you'd be right that just viewing a page or an email couldn't load a virus on your computer. But we don't live in that perfect world.

One example is the "buffer overrun" vulnerability: The attacker spends a huge amount of time and effort to find that a particular program loads some resource (a CSS cursor, for instance) into a buffer failing to check that the resource is small enough to fit in the buffer. So the program writes bytes beyond the end of the buffer. Buffers are frequently on the stack, and so overwriting them can overwrite things like the return addresses for function calls. If you craft the data just right, you can make a return address jump to instructions in the data of the resource you're loading. At that point, all bets are off, the attacker can run arbitrary machine code embedded in that resource.

Other vectors involve vulnerabilities in the sandbox in which the JavaScript on the page runs.

Answer 2

Most users install plugins such as Adobe Acrobat, Shockwave Flash and Java in their browsers. If the plugins are out-of-date and the user visit a malicious site with code that target certain vulnerabilities, the attacker may be able to execute of arbitary code, gain privileged access to the system, install virus (join a botnet, for example), etc.

Luckily nowadays modern browsers sandbox the plugins and organizations like Google check for malicious code while crawling.