kurt wismer wrote:


>> AFAICS things are typically stated like "it just happens naturally".
>
> that could just as easily be an interpretation that is peculiar to you
> alone...


Sorry, but it's exactly what I see in real life.

> it is something that is likely to happen (or to have happened, as in
> 'thats the way the malware got in') to quite a few average users because
> it's not easy to avoid being vulnerable nor to avoid being exposed...


Nonsense, it is really easy because almost every webbrowser is secury by
default out-of-the-box.

>> Aside from the serious need for any actual vulnerability, which is
>> truely hard to find,
>
> hard to find a vulnerability? on what planet?


On this planet. Show me an up-to-date webbrowser with an unpatched
vulnerability and/or a bad security history (that is, there have been large
non-negative delays between vulnerability and patch and no workarounds).

> i'm wondering what exactly you mean by avoidability here... do you mean
> it should be easy to avoid being exposed?


It's hard getting exposed at all.

> you are aware that these types
> of exploits have been known to be injected into the ad rotation of
> legitimate, otherwise trustworthy sites, right?


Right. The exposure is measured by the security of the webbrowser, and
nothing else.

>> BTW, what exactly differs a "drive-by-download" from a "webbrowser
>> exploit" as we've called it since ever?
>
> well, consider the possibility that a web browser is not the only
> component on your system involved in rendering the content on a given
> web page... the browser renders the html, but what about scripts?


ECMAScript is obviously interpreted by the webbrowser as well.

> what about multimedia? what about other document formats like pdf?


That's external. Do you let such things load by default or what?

> strange, most people would refer to that simply as hype rather than full
> non-reality...


Indeed, since the phenomena don't belong to the description.

>> Just like "tracking cookies", "phone home" or "phishing".
>
> you don't think phishing is real either? oh boy...

Phishing is described as a problem of the webbrowser and/or the WWW, but
it's solely a PEBKAC problem, thus it's a problem within the user and the
phenomen only a result of this. For any minimally competent user phishing
purely is a non-threat.