People can, and have, externally linked to malicious software from our sites.
Of course, that can happen anywhere on the net and users (and their
browser software) should be smart enough not to execute such code, but
Wikipedia looks rather respectable so people may be more inclined to
bypass security measures based on something on our site.
At the moment there are 209 external links to .exe files from the main
namespace of English Wikipedia.
I don't think we should worry about malicious software specifically.
Instead view any external link to malicious code as part of the larger
problem of weak oversight of external links.
A while back I ran clamav against all 'executable' looking external
links and found one nasty file. It would be really nice if the
mechanism that updates externalinks table spat out a running log of
external link additions and removals that we could hook an ongoing
It's also possible to rename malicious content as one of our accepted
formats for upload and upload it. If you client will execute an 'exe'
renamed to 'ogg' and sent with the Ogg mime type your client is
broken, but broken clients do exist. I do not recall ever seeing an
example of something malicious distributed that way on our sites.