Is it possible to get a virus by opening a website or an email...

>Is it possible to get a virus by opening a website or an email, or do you always have to open their links and attachments?
where are you asking about an email with no protection whatsoever? go back to >>>/leddit/ nigger

On Windows: yes

On GNU/Linux: no

Oh my god.
I'm going to ask again in a simple way.
>Imagine there's a email client that implements a simple SMTP protocol with no security
>A guy sends me an email with a virus
>I open it.
>It executes code
I'm asking how.

It's HTML, dude. It executes code to show you pictures and formatting.
Not to mention that email clients often have javascript interpreters...

That was my question. I didn't know it could interpret JS.

So, how can HTML infect your machine? I can kind of understand how Javascript could do it, but isn't the browser blocking javascript from gaining access to your whole machine by running it in a sandbox?

So how can you get infected by just opening a webpage?

Yes, if there happens to be the combination of haxxored website and browser security hole on your system.
In fact, #1 should be enough, technically.

Avoid shoddy webmail clients.

Since your browser DEFINITELY has a JS interpreter.

HTML5 does a lot more than regular old HTML.
>sandboxing
kek
There are ways around sandboxing, and they mostly revolve around showing the user information that looks safe, while actually containing a sandbox-avoiding payload.
Sandboxing helps though.

Javascript is a fucking nightmare though. It can do so many things, all of them nasty. A single flaw in the sandbox and it just gets everything anyway.

>what are vulnerabilities

HTML can send arbitrary requests to an attacker's server- through the tag most often. On an tag, your client will send a HTTP request to the URL, and if the URL is say virus.net, it could load up virus.net/trustmeimadolphin.js instead.
JS sucks.

Alright, thanks. I get it now.

By a properly configured uMatrix, one should be safe from such exploits?

how hard would it be to escape sandbox in any major browser and execute malicious javascript code?

Yeah. Use noscript as well due to it's anti-XSS stuff.
Noscript should be a default install on browsers, and browsers should have a little tutorial on it for grandma.

Pretty hard actually. Chrome's browser sandbox gets updated all the time- escaping from one basically relies on extremely subtle and hard to find exploits. And these are usually closely guarded by security companies- the legendary zero day.

Dude if you just don't know the answer, say "I don't know", but stop pretending you have some knowledge by using generic terms.

yes, back when I did scamming on steam, i had a java exploit which would execute from browser, a cunt didn't sell me a sandbox exploit he apparently had, that could have been the biggest steam robbery in history

how exactly did it work? was it only working if you used a steam browser?

user downloads file, executes it, we get *.ssfn files, keylogs needed to login into steam, we log in, DDOS the guy, sell all items, transfer the money. we had a team of 150+ people doing the dirty job for us (getting people to download the .exe), all we had to do is sell items and cash in the %. lmao the workers were so stupid, we only paid like €30 for the whole setup and got paid 40%. this was all before 2FA btw

oh and if you're on about the java exploit, it would download and execute the .exe.

That sounds pretty nice my dude.