Mary Landesman at ScanSafe recently reported a script injection attack, and Ryan Naraine picked up the story over on the Zero Day blog. While the initial report describes 55,000 web pages (not web sites as the Zero Day post states) as distributing the payload, it appears that the real number is significantly lower. For example, Google is only reporting 1,105 infected domains that point to the site described in the story. Why the discrepancy? It appears that the attack was flawed, injecting its script code in many cases into the page title or other locations within the HTML that aren't parsed for scripts by most browsers. In other words, the malicious script has been injected into a web page, but most visitors to the page aren't at any risk of the script actually running.
Despite the threat being a bit overblown, the fact that many thousands of sites had this malicious code inserted highlights the vulnerability of these sites. It's not clear what the infection vector was, though based on a very preliminary sample, it does not appear to be platform-specific, indicating it might be a result of local malware on the computers of the sites' owners/webmasters.