noone_particular is correct. You're never 100% secure. Most security mitigation is about slowing the hacker down and making the hack too expensive. If a hacker wants to get past Chrome/ IE9 (example) they have to exploit Flash or Chrome or IE9 and then they need a second vulnerability to get past the sandbox. Or if there no scripts on the malicious webpage they need to come up with scriptless exploits etc. Every time you do these things you aren't 100% secure you're just forcing the attacker to play by your rules and eventually it's just too much to bother with. As users we rarely have to deal with direct attacks. Breaking automated attacks is easy, if any single assumption made is wrong the attack will typically fail. Malware rarely has a backup plan - we only see that on the really advanced stuff like ZeroAccess and that wasn't even so complicated.