I would like to say that moderating one's browsing habits or visiting only "known good" sites (via mechanisms like Web of Trust) is a good idea, but I'm not sure anymore. The syndication systems that serve up these types of infected ads now run on all sorts of sites. I've been hit with drive-by malware from sites that I visit regularly and which have good ratings from site-review services, so it's no longer a question of simply keeping away from the Web's poorly-lit side streets.
Some people take additional steps, such as blocking ads entirely by running a plugin like Adblock Plus, or selectively disabling scripting for sites they're dubious about by using the NoScript plugin.
Firefox add-ons are a potential security hazard -- not as bad as IE ActiveX plug-ins, but still a potential threat. Many Web-based attacks that target Firefox don't aim for the program executable itself. Rather, they seek to undermine add-ons -- files which may not be binaries and so may not be assumed to be at risk -- and the support structure for the program.
Most of the danger comes from add-ons that pretend to be legitimate. For example, one add-on pretended to be the Adobe Flash Player, insisted on "updating" itself and dropped malware into the system.
One would think that antivirus programs would be a good first line of defense, but they have a spotty record of detecting things like this. For instance, the overlay.xul attack described above was still being ignored by many prominent antivirus engines (Symantec, Panda, Kaspersky, Trend Micro) even after a month of being in the wild. The SANS researchers who examined this threat ran it through an online virus-scanning service and were dismayed at how few applications flagged it as malicious.
One possible workaround is to use a non-installed version of Firefox such as Mozilla Firefox Portable Edition, which can run in any directory or even from a removable drive. If the program becomes infected, it can be kept segregated from the rest of your applications, and is easier to clean up and reset without damaging your user data. (Another possible workaround is to use a different browser entirely, but that might be more effort than it's worth.)
Many people switch to the Macintosh out of a sense that the Mac's a safer platform. By and large, it is, but threats do exist in the wild, whether piggybacked on pirated software or as the result of vulnerabilities in the platform itself. Most dangerous of all, though, is a false sense of security: users can be duped no matter what they're running.
Mac security-product creators Intego released a report (PDF) in 2009 that examined Mac malware and kernel vulnerabilities. There's not a lot of Mac malware in the wild -- Intego found most of it in pirated copies of commercial applications (iWork '09, Adobe Photoshop) available on peer-to-peer file-sharing networks.