WebSense writeup here.
We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code. A recent example that came to us from Message Labs appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.
Alex Eckelberry