Network worms can get onto a PC within minutes of connecting to the internet, according to security researchers at the Sans Institute.
The "survival time" for an unpatched PC connected to the internet averaged 20 minutes in 2004, compared to 40 minutes the year before.
Users of broadband, or poorly secured public networks, would be infected much more quickly, in under 10 minutes after connecting in some cases.
"The main issue here is that the time to download critical patches will exceed this survival time," the researchers said.
Security companies are also monitoring the state of play, and are even more pessimistic. Symantec estimates that it could take seconds rather than minutes to lose control of an unpatched PC.
"The Blaster worm is still the largest source of these sort of attacks," explained Tony Vincent, lead global security architect at Symantec Managed Security Services.
"It's like space junk: everything we've launched from the Earth is still up there in orbit. These attacks are all still out there on the internet due to unpatched servers, and never stop running."
Symantec runs a simulated network that is left poorly protected in order to track the methods used to enter it. The company has found worms written three or four years ago still in circulation.
Once worms infect machines the host PCs can be used to build networks of zombies that send out spam, or launch distributed denial of service attacks against web servers.