Can a website download documents, images, or other information onto my iMac without my consent or awareness?

In certain cases, yes it can, what it is usually called is a "drive by download": JavaScript exploits, Java exploits (or even you approving the download), and other exploits can indeed infect your computer, if you believe a website is risky you can download the NoScript extension or disable active plugins like Java or JavaScript entirely.

But please know that attacks where a malicious website can download malware onto your computer without your input [downloading a file. approving a prompt, etc], are very rare and will require a zero day exploit which is very expensive. This is why you are often asked to keep your software up to date, because any exploit found in a certain version can only be fixed in a later version, it isn't going anywhere.


The point of @leethax is technically almost OK except the fact that they are not very rare at all

Such infections exploitations are driven by what is called Exploit Packs // Exploit Kits which are basically toolkits that help exploiting client side vulnerabilities (this goes from the browser to java passing by flash or whatever client side stuff)

Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.

Characteristics of Exploit Kits

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for delivering payload that remotely controls the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

You can check this, this and this for more information


The OS part is mostly irrelevant here. A web page is built from:

  • a general part containing text and global structure: the HTML file itself
  • various auxiliary files: presentation (css), images or other media files, and scripts

The browser by itself downloads the main HTML page and all its declared components and then executes the scripts. Things can become rather complex at this moment, because the scripts can do many things:

  • change (partially) the browser configuration
  • download other files or components
  • make the browser point to another page

Normally, the browser cannot by itself execute something directly at the OS level, but everything is kept at the browser level in a kind of sandbox.

Additionally, some particular content are not directly executed by the browser but require a plugin. Flash video or games are typical of that

Thus there are different kinds of threats:

  • a vulnerability in the browser that allows direct execution of code - it can be mitigated by keeping the browser and the OS updated with all security patches
  • a vulnerability in a plugin. Flash plugins often have a poor reputation, but there are many plugins around
  • an apparently harmless user action that will actually execute a malware or create a security breach by installing a vulnerable plugin. That is generally the simplest and most efficient way:
    • click here to install that hyper cool background on your computer
    • you current video player will not be able to support the special effects of this movie. You should update it from here
    • you can get [choose your favorite feature here] from here

You are just right in one part. Apple OS is less used than Windows on desktops/laptops or Android on smartphones, and Apple developer environments are much more expensive than Windows or Android development kits (you can get the latter for free). That is a reason why you can find more malware targeted at Windows desktops/laptops than at Apple, Linux, or BSD systems, because of the cost/gain ratio from the malware developer. But I would not bet a coin that Apple system is so robust that it contains no vulnerabilities. Because any addon can come with its own vulnerabilities and I do not think that any iOS app has been thoroughly reviewed on a security point of view before being added to the App Store.

As it is signed by its developer, an app should not carry a malicious payload, but it can simply contain a vulnerability that could later be exploited by a malicious site... Slightly more complex, but still possible.

Tags:

Web Browser