The vulnerability-to-worm cycle has shortened from 288 days in 1999 to 10 days this year, Foundstone analysts said in a report released earlier this week.
The security firm's analysis focused on major computer worms between 1999 and 2004, including Melissa, Code Red, Nimda, SQL Slammer, and Sasser.
Worms that required user interaction, such as opening attachments, and remotely controlled "bots" were not included in the trend report in order to focus solely on automated threats, Foundstone said.
The trend puts pressure on IT departments to fix vulnerabilities faster than ever, Stuart McClure, Foundstone president and CTO, said in a prepared statement.
"The window within which the good guys have to work is closing fast," he said.