CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

via This is how Windows get infected with malware.
I have never been a big fan of constantly chasing patches but this conclusion has me rethinking my thoughts on this…

The reason why patching are essential

The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.

I think the main problem here is that all these PCs were directly connected to the Internet.  The simplest solution of using a hardware router and NAT should stop these kind of attacks from ever hitting the PC.   I’m still leery about constantly applying patches because sometimes the patches themselves are buggy and may introduce new vectors into your OS.  Software upgrade needs to be planned as a general policy for the entire PC or sets of PCs and not dictated to by a mere application or OS vendor.