The vast majority of content on the Web seems free, but it's actually supported through advertising. The largest syndicated ad providers are owned by the search engine vendors. For example, DoubleClick is actually owned by Google. While ads may appear in search engine results pages, the ads are also syndicated out to participating websites for revenue share. Because Internet advertising is so ubiquitous, it quickly became a target through which attackers attempt to deliver malware.
Advertising networks merge multiple levels of affiliates with automated processes designed to quickly and efficiently consummate the relationship between the site owner and the advertiser. One rogue or inattentive affiliate and suddenly large numbers of mainstream websites are turned into malware distribution points, potentially impacting tens of millions of Web surfers.
Malicious ads seldom exploit zero day vulnerabilities. Instead, the exploits used are generally for older known vulnerabilities for which patches have long been available. The problem, of course, is that many people put off updating - or only update Windows and not the rest of the programs.
To make sure your system is fully patched, use both of the following free services at least once per month:
Antivirus software can help defend against malvertising (malicious advertising) but your safest bet is to prevent it altogether by ensuring all security updates for all programs are installed. The automatic update feature in Windows only installs Windows updates - it will not guard against vulnerabilities in other programs installed on your PC.
Ad blocking programs typically work via blacklisting, identifying known advertising domains. The problem with this approach is that it is reactive. Your best bet is to apply patches religiously. If you use Firefox, the NoScript add-on will block javascript from any untrusted websites. Javascript is a scripting language used extensively on the Web and it's the scripting language used to deliver advertising.