This is true dispite what people might think spyware "can be magicly injected" into your computer. This is mostly true for IE and OLE because who ever makes the spyware often uses exploits such as the mhtml, ms-its, vbscript filedrop, ADODB.stream, etc, etc, exploits. The other thing is some spyware can set the active x security settings to allow all. This would allow other spyware to come on to your computer from visiting it with out any interaction.