Almost all kit-created virus and malware infections are caused by the failure to update five specific software packages.
According to Danish security company CSIS, Windows machines are often infected because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.
During a three-month study, CSIS monitored 50 exploit kits on 44 unique servers/IP addresses.
It found that in more than half a million user exposures, 31 per cent were infected with malware due to unpatched software.
The most vulnerable program was Java JRE, with 37 per cent of installations unpatched. Adobe Reader and Acrobat were unpatched in 32 per cent of installations and Adobe Flash Player was unpatched in 16 per cent.
Internet Explorer was unpatched in 10 per cent of cases, Windows HCP in 3 per cent and Apple Quicktime Player 2 per cent.
In terms of web browsers, Internet Explorer was the most infected, with 66 per cent of users vulnerable, followed by Firefox (21 per cent), Google Chrome (8per cent), Safari (3 per cent) and Opera (2 per cent).
Of the infected Windows systems, 41 per cent of users were running XP, 38 per cent Vista and 16 per cent Windows 7. Five per cent used Windows 2003, and 1 per cent Windows 2000.
Peter Kruse, partner and security specialist at CSIS, told SC that he expected Java JRE to be in the top five, but with Adobe Reader/Acrobat in first place.