The SANS Institute, an independent research group, said that the IT industry has been "set back years", because software vendors have neglected security.
"A large component of the cyberthreat shifted during 2005," said SANS.
"Last year the most critical vulnerabilities in the announcement were associated with Windows and UNIX/Linux operating systems. This year, more than one-third are in applications -- some of them security and back-up applications that people thought kept them safe," the group claimed. "This heralds a big increase in the threat because many of the application vendors do not provide automated patching."
SANS cited the discovery earlier this year of a flaw in Veritas's NetBackup storage product, which exposed companies to remote attackers.
SANS compared the situation to the days when Microsoft was heavily criticised for not making more efforts to secure Windows.
"We're in exactly the same position as six years ago -- the user community just hasn't noticed it yet," according to Alan Paller, director of the SANS Institute, speaking at the launch of the report.
SANS unveiled the findings at the UK's Department of Trade and Industry, where it called on application developers to give security a much higher priority.
The group cited Microsoft's development of regular monthly patch updates as an example of good practice, although this took several years to develop.
However, these automatic updates have bred complacency, SANS warned, because they have encouraged users to neglect their own patching and leave it in Microsoft's hands.
Robert Chapman, chief executive of The Training Camp, which runs courses for IT professionals, said the SANS report underlined the need for tight security.
"The news that hackers are now targeting unprotected applications, such as back-up software, will not come as a shock to IT security professionals. The fact is that hackers are constantly seeking new ways to attack our systems, as evidenced by the vicious war waged against unprotected wireless devices," said Chapman.
"In the long term the responsibility for making applications less vulnerable lies with the vendor, but in the interim it is vital that IT staff defend their companies' desktops," he added.
ZDNet UK's Graeme Wearden and Tom Espiner reported from London. For more coverage from ZDNet UK, click here.
