Comment Re:What the fuck (Score 4, Informative) 192
You are right, download shouldn't run automatically. And actually, no browser intentionally allows downloading programs automatically.
Unfortunately, internet browsers are a quite complex piece of software which connects to a lot of other complex libraries, and each of these software elements may contain security vulnerabilities, used by exploits that download and run malicious code. The idea is this: some hacker find out about a security bug in some windows library (which could be a result of things like a buffer overflow bug), such as the library that displays some file format (WMF, AVI etc.), ActiveX, JavaScript etc., and then embed in a website some file that uses this exploit ( windows metafile, embedded video etc.). Such vulnerabilities are being discovered all the time, and Microsoft keeps releasing new security patches that fix these bugs, but from the moment the bug is discovered to the moment you download a security update there is enough time where your computer is exposed to such exploits.
I don't think it is realistic to expect software to be free of such vulnerabilities. Every OS got them. Fortunately for people using other OSes such as Linux, it is not targeted as much as Windows by hackers because it is not as common as a desktop OS, and the fact that most users do not run as admins also helps to reduce the potential damage of a malware. I believe there are other ways to reduce exposure to such exploits: for example, use data execution prevention and use a sandbox to isolate the browser and all the libraries it uses from the rest of the system. However, you need to design the system from ground up to be able to implement these measures properly.