How can I can get a virus just by viewing a site or opening an email? [closed]

Question

Everyone know's that some sites can harm your computer just by looking at them, or some emails can send mail to all of your friends or collect information about you just by reading them.

How is this possible? Every site is just plain HTML, CSS and JS , that can't make any permanent changes on the computer (except cookies, but that can't harm you, can it?) so how could I get a virus?

If i click an ad, How do I get a virus? downloading link for autorun program?

How are these things done? what programming language?

Answer 1

In general, the way these vectors work is by exploiting flaws in the software used to read/render the HTML, CSS, and JavaScript. In a perfect world with perfectly secure browsers/email programs with perfect sandboxes, then you'd be right that just viewing a page or an email couldn't load a virus on your computer. But we don't live in that perfect world.

One example is the "buffer overrun" vulnerability: The attacker spends a huge amount of time and effort to find that a particular program loads some resource (a CSS cursor, for instance) into a buffer failing to check that the resource is small enough to fit in the buffer. So the program writes bytes beyond the end of the buffer. Buffers are frequently on the stack, and so overwriting them can overwrite things like the return addresses for function calls. If you craft the data just right, you can make a return address jump to instructions in the data of the resource you're loading. At that point, all bets are off, the attacker can run arbitrary machine code embedded in that resource.

Other vectors involve vulnerabilities in the sandbox in which the JavaScript on the page runs.