True if we're talking internet connection.  But this doesn't consider cracks (hey, people like free software) and hacks (if on the internet at any length).  Cracked software is an excellent means to introduce viruses, adware, zombies.  Hackers are not waiting for a user to invite them in, they are attacking exploits to break down the door.  Users who are aware of this can usually safely guard against it (firewalls and such).  But that doesn't negate the potential. Security flaws in HTML, FTP, Email, and other servers and hardware connections are quickly exploited.  And that doesn't even consider open ports (which should be protected by a good firewall).

We are all aware of the IE buffer overrun exploit that allowed malicious code to be run if visiting a website or by some other means.  Didn't always require a hapless user clicking an email link - just needed to be unfortunate enough to happen upon the site somehow.

For instance, I was privy to a nice (but short-lived) DOS attack on my website recently.  Basically, the script-kiddie was repeatedly downloading a set of large zips files off my site to bring down the site otherwise.  Not much to do about that - except ban the IP address and hope it wasn't a zombie attack (wherein the IP could easily be switched).  Even major corporations require some hefty layering, real-time diagnostic software, and well-versed system admins to avoid these - hopefully.

As you note, to cause the damage, one must execute the code.  Any code that is executed is vulnerable to some form of vulnerability.  All code is executed (or it's sort of useless).  Yes, most times this is easily avoided by following simple rules - don't open unsolicited email, never click on email links, don't use cracked software, keep software updated especially when the udpates fix vulnerabilities, run AV, run firewalls, run Ad-blockers, run Pop-up blockers, etc..  But most users are not very savvy.

Then there is the worst of all - root-kit type software that is unexpected, uncontrollable, automatic, while also being a probable pathway for exploits.  Sony paid dearly (thankfully) for such an excursion.  This still requires a user to unintentionally provide an avenue for exploits (software, internet) - yet still very dangerous potential.

The problem is that the internet is ubiquitous.  I couldn't operate without an internet connection.  My business depends upon it (both for serving as well as connnectivity for communal response and informational/data resources).  And that ubiquity is OBVIOUSLY exploited by scum who know that most people are not going to turn off their computer every time they go to get a cup of coffee or go to sleep.  These connections are becoming more permanent and that makes for a nice continuous stream of possibilities for them.  Even then, my mail and dns servers are local - always privy to attack.  If a user gets past the hardware firewall into one of these, they have free-reign.  It has happened to some extent.

C makes it easy to shoot yourself in the foot. C++ makes it harder, but when you do, you blow your whole leg off.

 -- Bjarne Stroustrup

Contact Me | Kuroyume's DevelopmentZone