Nearly 33% of websites are infected with downloadable malware, after infection rates almost doubled in the past year, according to research from the Sans Institute.
Users' confidence in online security is waning, leading small and medium sized companies to lose business, it said.
The security training organisation last week published its annual list of the top 20 cyber security threats.
Gerhard Eschelbeck, chief technology officer at Webroot, one of the firms that contributed to the study, said, "Since January 2007, Webroot has seen a 183% increase in websites that harbour spyware. Infection rates for spyware and Trojans that steal keystrokes are currently at 31% and growing rapidly.
"In a survey of small and medium enterprises we conducted in September, 77% said their success depends on the internet, and 47.2% reported lost sales due to spyware."
Rohit Dhamankar, senior manager of security research at security specialist TippingPoint, said 50% of the total vulnerabilities reported in 2007 were in web applications.
"But it is only the tip of the iceberg," he said. "This data excludes vulnerabilities in custom-developed web applications. Compromised websites provide avenues for massive client-side compromises via web browsers, office documents and media player exploits."
The number of vulnerabilities in Microsoft Office products nearly trebled in 2007, said Amol Sawarte, manager of security firm Qualys's Vulnerability Laboratory. This was due primarily to new Excel vulnerabilities that can be exploited by getting users to open Excel files sent via e-mail and instant messenger.
Sans Institute research director Alan Paller said web application insecurity was particularly troublesome because so many developers write insecure code. "Most of their web applications provide access to back-end databases that hold sensitive information," he said.
"Until colleges that teach programmers, and companies that employ programmers, ensure that developers learn secure coding, and until those employers ensure that they work in a secure development lifecycle, we will continue to see major vulnerabilities."
Paller said new attacks use social engineering to expose internal company networks to exploitation. These attacks are much harder to defend against, he said. "They take a commitment to continuous monitoring and uncompromising adherence to policy with real penalties."
Technical defences have improved, but hackers are using automated attack programs to constantly scan the web for vulnerable systems.
"So many automated programs are searching for victims that Sans' Internet Storm Center (an early warning system for the internet) reports that computers can expect to survive only five minutes before being attacked, and will withstand the attacks only if they are configured securely before being connected to the internet," he said.