For example, attackers used the Forbes.com website last month for a quick watering hole attack. According to Dallas-based research firm iSIGHT Partners, Inc., the attack only lasted a couple of days in late 2014, used a zero-day Adobe Flash vulnerability, and was linked to a Chinese cyber espionage group.
"We saw the Forbes.com hack, and that there were quite a few other sites being hacked, delivering malware, targeting innocent users," said Menlo Security's CTO Kowsik Guruswamy. "We were curious how that malware got there in the first place."
To find out, the company went through the top million global websites, based in Alexa rankings. They downloaded everything that a typical user would when visiting the site, including iFrames, embeds, widgets, ad networks -- everything needed to fully render the page.
"We compared them to all the known malware domains, and fingerprinted exactly what kind of services the server was running," he said.
Menlo detected no vulnerabilities on 66 percent of the sites, but the remaining 34 percent were classified as "risky."
In particular, 22 percent were running on vulnerable infrastructure.
For example, more than 10 percent of all sites are running a vulnerable version of the PHP application framework.
Another 8 percent are running vulnerable Web server software, evenly split between Apache and IIS.
About 2 percent of the sites run vulnerable content management systems, evenly split between Wordpress and Drupal.
Finding out that a site is running vulnerable software doesn't take any special skill -- the report pointed out that information about a website's underlying software infrastructure is provided to any browser that asks for it.
Beyond the vulnerabilities themselves, 4 percent of the top websites are actively hosting malware. Another 3 percent were serving up spam or running botnets.
Guruswamy pointed out that these are among the most trusted sites in the world.
The company also looked at the categories that the sites fell into, and the vulnerability rate stayed generally around 20 or so percent for most mainstream sites, including technology, business, shopping, entertainment, news, travel, finance, sports, and health.
Some niche categories had vulnerability rates much higher, he added, up to as much as 80 percent.
"For illegal download sites, you expect it to be bad," he said.
But users and enterprises are already wary of those sites, he said.
"Forbes.com is a well-known site," he said. "People think, 'let's not worry about it.' But that's the wrong conception."
Unfortunately, he had no solutions to offer for enterprises looking to protect their employees.
"The current methods aren't working," he said.