Just about every client that is doing anything interesting is connecting to the internet. Being behind a router or even firewall does protect against a huge number of external attacks. If the machine doesn't have the port open, it's a rare occurrence for a remote compromise.
But that's not the attack vector anymore. It's compromised websites, taking advantage of weak browsers and even weaker plug-ins. Many don't require user input, so the generally useful advice of "just don't click on anything stupid" isn't wrong, but it's not a comprehensive solution. If you're running an out of date browser, Adobe Flash, Shockwave, Java, .NET, and a few other heavy hitters in a similar vein, given enough time, you will come across an exploit online. It's not only about going to trusted websites either, as over the past 2 or 3 years, they are coming in through malicious ad modules that are being pulled into otherwise trustworthy sites.
|