There's a number of ways you can get these kinds of things - they get updated pretty regularly to exploit whatever they can. Here's the best ways to protect yourself:
1) Update Your Browser
The most important thing you can do to avoid this stuff is to keep your browser up to date. This goes triple for Internet Explorer. Ideally, you shouldn't run Internet Explorer at all - anything else is going to be better protected simply because fewer people use them.
2) Update Windows
No matter what version of Windows you're running, you need to make sure that you're installing updates. Ideally, on a weekly basis, with Automatic Updates turned on. If you have Automatic Updates turned off and are not checking yourself at least once a week, you're a computer idiot and should not be allowed on the internet.
3) Get a decent anti-spyware program
This may, but usually isn't, a part of an anti-virus program. They are different things. If you don't have one, I highly recommend Microsoft Security Essentials [http://www.microsoft.com/security_essentials/]. It's free, updates silently and automatically (and regularly), protects against both spyware and viruses, and has relatively low impact on system performance. That is what I install on my family's machines.
4) Update Flash, Acrobat Reader, and Java
These are things that most people don't update regularly because a) older versions always work and b) their update notifications are annoying. Don't do this. If they're running on your machine, they're big fat security holes that can work in almost any browser. Make sure you check for updates at least monthly, and you might want to suffer through the annoyance and keep their update notifications on.
5) Use a router
I'm always surprised by how many people plug their computer directly into their cable/dsl modem. This is very bad. Get a router, any router, even if you're never going to connect another computer to it or run a wireless network. The NAT proxy that routers use to share your connection has the side effect of significantly increasing your security against random internet viruses and worms. Also, never ever use a DMZ unless you are absolutely sure you know that you're doing.
6) Don't be stupid
Don't run attachments from your email unless you asked someone to send them to you. Don't download random programs from the internet unless they're from a trusted source. Don't download warez or other pirated stuff. Learn to tell the difference between a popup ad and a real system message from your operating system; close the popup ads and don't click on them. This should all be obvious, but I feel the need to reiterate it.
By the way, Windows Vista and Windows 7 are much better protected than Windows XP against all of these things. A lot of the improvements between Windows versions were background security features that most people don't notice, but are still a very good reason to upgrade your OS if you can.
The most secure Windows browser/OS combination at the moment is Chrome on Windows 7. Chrome is quite secure on its own, but it will also take advantage of some special security features in Windows 7 that are only otherwise used by IE8.
1) Update Your Browser
The most important thing you can do to avoid this stuff is to keep your browser up to date. This goes triple for Internet Explorer. Ideally, you shouldn't run Internet Explorer at all - anything else is going to be better protected simply because fewer people use them.
2) Update Windows
No matter what version of Windows you're running, you need to make sure that you're installing updates. Ideally, on a weekly basis, with Automatic Updates turned on. If you have Automatic Updates turned off and are not checking yourself at least once a week, you're a computer idiot and should not be allowed on the internet.
3) Get a decent anti-spyware program
This may, but usually isn't, a part of an anti-virus program. They are different things. If you don't have one, I highly recommend Microsoft Security Essentials [http://www.microsoft.com/security_essentials/]. It's free, updates silently and automatically (and regularly), protects against both spyware and viruses, and has relatively low impact on system performance. That is what I install on my family's machines.
4) Update Flash, Acrobat Reader, and Java
These are things that most people don't update regularly because a) older versions always work and b) their update notifications are annoying. Don't do this. If they're running on your machine, they're big fat security holes that can work in almost any browser. Make sure you check for updates at least monthly, and you might want to suffer through the annoyance and keep their update notifications on.
5) Use a router
I'm always surprised by how many people plug their computer directly into their cable/dsl modem. This is very bad. Get a router, any router, even if you're never going to connect another computer to it or run a wireless network. The NAT proxy that routers use to share your connection has the side effect of significantly increasing your security against random internet viruses and worms. Also, never ever use a DMZ unless you are absolutely sure you know that you're doing.
6) Don't be stupid
Don't run attachments from your email unless you asked someone to send them to you. Don't download random programs from the internet unless they're from a trusted source. Don't download warez or other pirated stuff. Learn to tell the difference between a popup ad and a real system message from your operating system; close the popup ads and don't click on them. This should all be obvious, but I feel the need to reiterate it.
By the way, Windows Vista and Windows 7 are much better protected than Windows XP against all of these things. A lot of the improvements between Windows versions were background security features that most people don't notice, but are still a very good reason to upgrade your OS if you can.
The most secure Windows browser/OS combination at the moment is Chrome on Windows 7. Chrome is quite secure on its own, but it will also take advantage of some special security features in Windows 7 that are only otherwise used by IE8.
