Malicious codes can not execute themselves and can not infect a remote system without the user manually running a file.
If the articles are written by security vendors that sell products it is just an ad campaign, scareware tactics to make users buy or use their products. Think about it, I have been using the web since 1995 and on older Windows and browsers this was possible and happened often. I haven't come across any malicious codes that could do this since the release Windows XP SP3 and IE7. Of coarse older IE versions are vulnerable and so is XP now, but on Windows Vista and above this is no longer possible unless the user fails to keep their software updated.
The most common vulnerability to execute malicious codes is the Java browser plugin, most browsers have already disabled it by default.
Adobe Flash Player and Adobe PDF Reader is also commonly used to execute malicious codes. Keeping Flash Player updated is a must, use an alternative PDF reader or Google Chrome and Firefox has their own now.
New vulnerabilities are discovered all the time and if some sites had malicious codes used as exploits, UAC would still block them from executing. I browse all over the web even some infected sites and I have not come across any malicious codes that could automatically run without the users permission and UAC prompts. Because if any do exists they are extremely rare to find if you have everything currently updated. If some websites did have malicious codes that could run just by clicking on the links without downloading any files then no security products would be able to protect you period because they would have to bypass Windows kernel in order to be effective, only UAC and update patches can protect kernel exploits, once Windows kernel is bypassed all software based products are useless.
Thanks.