Is there a real possibility of getting malware by “drive-by”?
You can lookup vulnerabilities at http://cve.mitre.org/. "CVE is a dictionary of publicly known information security vulnerabilities and exposures."
A rough search of:
- Firefox, returns 888
- Chrome, returns 729
- Flash, returns 371
Further filtering of the severity of these would need to be done, but this gives an upper bound of found vulnerabilities.
http://web.nvd.nist.gov/view/vuln/search allows for the filtering based off of time period, with only CVE checkbox selected, searches of 3 years, and 3 months gives the following respectively:
- Firefox, returns 391, 64
- Chrome, returns 653, 80
- Flash, returns 227, 16
Yes, this is one hundred percent possible:
- Browsers are huge programs, containing script engines, markup parsers, rendering engines and even audio / video codecs. Any of these parts could have a vulnerability, which might be exploited.
- Browers run JavaScript, which is a Turing-complete language, making it nearly impossible to analyse what it is doing ahead of time. There's a near infinite number of ways to express the same code. Obfuscation via
eval
makes this even harder. This also means it's ideal for dropping payloads. - Certain browsers also allow alternative script types, such as VB Script. This can open up futher security holes.
- Flash is a semi-privileged plugin, which has access to some files on your system. Searching for "flash malware" on Google returns ~54 million results. The CVE database shows around 1200 unique Flash vulnerabilities.
- You might be convinced into downloading a document (e.g. PDF) that represents an exploit against a 3rd party vulnerability. This is often used in email, where executables and scripts are usually blocked.
- Browsers often have markup (e.g. the
object
tag) that is used for certain plugins. Sometimes you don't even have to have installed or enabled a plugin for it to be a security vulnerability - look at how IE6 handles ActiveX for example. - You might drop some personal information into a website, which is later used for a spearphishing attack, resulting in infection.
- You don't even have to have a vulnerable browser. Accessing a website could add your IP address to a list of targets to scan, which might result in you getting infected via a remote code execution vulnerability.
- An attacker could use HTML5 to turn your browser into a botnet zombie, without actually infecting your machine. Send your thanks to Bob McArdle for the great presentation on that one, by the way!
As Phillip said in his answer, you can read up on vulnerabilities in the CVE database, which you can search at NVD. You could also search sites like OSVDB, exploits-db and packetstorm.