Thanks for your question. It should be fairly clear that I'm not talking directly about the Ars issue. That isn't about an outlinked article (Ars doesn't aggregate quite that way) the way Google and HN do. However, using a VM separate from the browser sandbox is a nice way to anonymize and prevent any leaks/damage that can occur. I'm interested to know why you think this hasn't happened since most serous compromises are an untrusted link click away (esp in windows).

The first time was in about 2012. There was a news link off of GoogNews (not the site itself obviously, and an outlink as described). The "News" trojan link page seemed to be up for only a short while and then blocked, since later searches for the title were completely missing. I'm guessing Google probably caught it on their end since it was probably infecting everyone who clicked. I only noticed it reasonably quickly due to a rapid change in network activity, but it had already escaped the browser sandbox and was downloading more.

Drive forensics that day didn't show anything obvious on Friday, but the next Monday a trojan was found that had been using a zero-day. Since then I've used a VM for random browsing (it's not a panacea, but it's easy enough to do). If you believe that's ineffective, I'd like to understand more. A couple of times in the 13 years since, the AV in the VM has caught viruses and I don't really browse much except news from Google, Yahoo, HN, Ars, etc in that VM.