Mozilla and Opera, as well as Microsoft, maker of Internet Explorer, have spent the better part of the past decade toughening their browsers against attacks through a relentless parade of updates. Mozilla, for example, lists 2237 bugs -- not all security bugs -- that were fixed in its , which was published on August 28.

But even if your OS and browser security is inspired by Fort Knox, the bad guys always seem to find a new gap in the armor.   

Now that it's harder to penetrate the browsers and the OS, data thieves have changed their tactics, targeting the two remaining weakest links: Third-party browser plug-ins or add-ons, and users themselves. As third-party plug-ins go, Java remains abused as a vehicle for automated "drive-by" attacks, often enabled by low-cost exploit kits sold on the black market. Forbes published in March showing what nefarious buyers will pay for exclusive access to a new, so-called zero day vulnerability. The reward of $40,000 to $100,000 is more than enough motivation for exploit coders to start early and work late.

Part of the attraction is Java's ubiquity. "It's almost a compliment to Java's developers," says Steve Santorelli, director of global outreach for Team , a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. "It comes down to the economics of malware," Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market.