Web browsers = Internet Explorer?
First, a few comments about the wording selected for the report. In the very first paragraph the authors explain the honeymonkey project

consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities.

Internet attacks that use a malicious, hacked, or infected Web server to exploit unpatched client-side vulnerabilities of visiting browsers are on the rise. Many attacks in the past 12 months fell into this category, including Download.Ject, Bofra, and Xpire.info.

For instance, let us look a little closer at the Download.Ject virus (CERT Vulnerability Note VU#713878 ) and see what one of the recent recommendations from CERT was:

Use a different web browser

There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

For instance, many people are now switching to the Firefox web browser. Finding vulnerabilities in the Firefox browser is a little harder, but there are some out there. Let's look at this one (Vulnerability Note VU#927014) in particular - it involves the shell: handler when running the Mozilla software on a Windows system:

Since the ability to invoke programs with the shell: moniker is handled natively by the Windows operating system, any program that passes these URIs off to the operating system (Internet Explorer, Outlook, etc.) exposes a similar vulnerability. Non-Windows versions of the mozilla products listed above do not expose this vulnerability because they do not handle the shell: URIs.

Some Monkey Numbers
Moving on through the Microsoft report, the authors next explain how the honeymonkey project was conducted. The first thing I found interesting (amazing really) is their claim that

There are 10 billion web pages out there...

Windows "hosts" files [HF] that are used to block advertisements and bad sites, and lists of known-bad web sites that host some of the most malicious spyware programs.

Out of the sample sites, Microsoft's project discovered 752 pages that attempted to infect a Windows machine at Service Pack 1 unpatched. These pages were confined to 287 sites or about 3 exploits per site average. Going back to our worldwide numbers, if we assume that 99.999% of all web pages are safe, that would leave approximately 100,000 pages throughout the world that could be considered "potentially malicious" pages and if the math holds up, about 30,000 sites. Of course, this is just an assumption at this point that needs to be tested as to the accuracy of the 99.999% figure. Based on that though, if Microsoft's results are accurate, approximately 15% of the potential targets represent actual threats, or about 15,000 pages worldwide (or 5,000 sites).

You may be tempted to think that your odds of hitting one of these sites is miniscule. After all, 5,000 sites represents only 7 thousandths (.007) of all web sites. However, according to Microsoft they

have verified that one of the five companies is also serving exploiting ads on a large number of popular Web pages.

As Microsoft concludes their paper, they report on some early work they are doing "monitoring the top one million click-through links from a search engine". As they report,

Preliminary results reveal that contaminated Web pages that unknowingly serve ads that exploit browser vulnerabilities may be a serious concern.

Conclusions
What conclusions can we draw from an analysis of this report? What might we expect from Microsoft in the future?

• First, Microsoft has written the report using generic terms like "web browser" when in fact the study used Internet Explorer. For users, this is important to realize as even US Cert has recommended users switch to a different browser to avoid some vulnerabilities.
• Even switching browsers can leave users exposed as Microsoft has embedded their rendering engine so deeply in the operating system of Windows, that any application can invoke MSHTML and trigger a vulnerability.
• Users may think there are a small number of sites serving these exploits. As Microsoft notes though, the exploiters are figuring out how to get their malicious code served up via innocent looking shopping sites, screen savers, and search engine results. It would appear they are also figuring out how to get unsuspecting webmasters to include malicious code on their sites via advertising banners.
• Microsoft only focused on its XP versions of Windows. For users with older versions, a reasonable conclusion is that there is an even greater risk. Even with XP, Microsoft's results indicate only a fully patched, SP2 level machine was shielded from the exploits their project discovered. I suspect this will somehow be used as an argument for users to upgrade. For corporate customers, I suspect this will be used as an argument for an investment in Microsoft's tools needed to push patches out to all machines.
• Microsoft indicates they want to get more information into the hands of their customers. It is unclear whether they have done anything to help their customers that use search engines other than MSN. On its face, the work they are doing ignores their customers who have chosen to use browsers other than Internet Explorer. And this is just my opinion, but the results of their study could have been much more thoroughly presented such that customers could try to replicate the results if they were so inclined. As it is, users have to take Microsoft at their word regarding the number of exploits found.

What is a user to do? It seems to me the honeymonkeys make a pretty good argument for switching to an operating system like Linux that does not even contain the MSHTML rendering engine. If you are staying on Windows, at the very least switch to something like Firefox for your web browsing. And disable ActiveX scripts, install good anti-virus software and good anti-spyware software. Of course, all of these recommendations have been made for several years now and still problems persist. Perhaps it is time for you as a user to get a little more radical and change your operating system?