BleepingComputer.com: Can you get a virus just by clicking a link/image?

I have been told several things by many different people and I just want to know the truth. I've been told that you cannot get a virus/malware/spyware just by clicking on a link or image, it always needs permission to download(they even go as far as to say you don't need any antivirus because of this). I have also been told that if you click on a link or image, you will get the virus in some cases, meaning the virus does not need permission, it will auto download and you're infected.

I clean computers every day and regularly have customers come in who claim they did nothing but click a link and have become infected. Sometimes it's email or Facebook links. Other times it's just random websites they happen to click on.

So the question is, can you in fact get a virus/malware/spyware from only clicking on a link?

Thanks in advance for the replies.

If the software on the machine isn't fully patched, then yes, you definitely can.

Even if you're fully patched there are threats that surface for which patches have not yet been written.

The number one way to protect yourself is to practice safe browsing habits.

Google "image poisoning". . . that should shed some light on how clicking an image can result in infection.

Hope that helps,

~Blade

DaViD_MiLLs, on 20 July 2011 - 09:00 AM, said:

Short answer: yes.

Longer explanation: it is not the link itself that can infect your computer, but it's actually the content that is downloaded and rendered from said link that can infect your computer.

You can also get an infection from a malicious ad on a legit website. And drive by infections are especially common on Facebook which is why I stay away from it.

Ok. Thanks for the replies.

Blade, when you talk about the software 'being fully patched' you're talking about everything being up to date and it's most secure, right? Like if you're running Adobe Reader 9 instead of the most up to date version, a bug could slip through because it's has security issues? Same with antivirus programs and everything thing else with the ability to be compromised?

So if a user is running a Norton AV that the subscription has run out on and they just ignore the request to update(resubscribe), just clicking on a link can infect them, without any prompting for downloads or approval?

Didier, thanks for the response. I do understand it's not the link itself. I often click on links that prompt me to download or install fake antivirus/malicious software/spyware though I never allow them to do so.

Frank, I have never gotten into Facebook, but I know a lot of people get infected from Facebook. I do understand what you're saying about legit websites/programs and the hidden content being possibly malicious as well as 'drive by' attacks.

Thanks again for the responses.

Even if a user has an active firewall and anti virus, they can't prevent a virus from users who mindlessly click on every link that is emailed to them or sent to them by Facebook or Twitter. At some point, users have to show some common sense and be more vigilant. If I get sent a link by Twitter and I don't know the person, I don't click on it. I check their profile and report it if it's a spam account. You can't protect users who refuse to learn.

DaViD_MiLLs, on 20 July 2011 - 08:12 PM, said:

Correct

Yes, you can get a virus just by clicking a link or linked image, especially with older Windows operating systems and older browser versions.

Most websites use JavaScript, Flash or ActiveX components to display page elements, read form input, launch pop-up windows or perform other actions. These packages have the ability to do most of the things a native executable program can do - write files to your drive, download content from other locations, and so on.

Even though computer operating systems place limits on what programs can do without specific user intervention and where they can write data, there are always holes in this security. Most of these vulnerabilities are discovered eventually by vendors, security "white hats" or malicious "black hats". Vendors may provide updated versions to secure these vulnerabilities, but users often fail to run updates...

The above is true regardless of which operating system you're using. Windows 7, Mac and Linux are exposed to the same malicious site code as older Windows versions, but the underlying operating systems have fewer exploited vulnerabilities.

Many holes don't get patched before malware writers exploit them, so websites are an ideal way to expose thousands or millions of potentially vulnerable computers to infection. This malware distribution model is so effective that popular legitimate sites (MSNBC and the New York Times are recent examples) and advertising distributors have been repeatedly hacked to insert malicious code.

If your browser doesn't have the correct limits on what scripts and plug-ins can do, and your operating system is vulnerable, a website with malicious code can initiate a malware download and installation onto your computer without any other intervention. When you click on a link in HTML e-mail, your browser attempts to load that site and runs any scripts specified in its code just as if you had entered the URL in an open browser window.

Google Chrome 12, Firefox 5 and Internet Explorer 9 browser versions "sandbox" running scripts to help ensure that any changes they make are temporary and erased when the browser closes - everyone should upgrade to one of these browsers.

Blade Zephon, on 21 July 2011 - 04:24 PM, said:

Thanks.

Patience, that is exactly what I was looking for. Thanks for the post.