HD Moore of Metasploit wrote to tell us that they have been doing some testing to see who has been naughty and who has been nice.  Metasploit found a potential XSS vulnerability in Google's search appliance and worked with Google to get a patch issued.  Details are at http://metasploit.com/research/vulns/google_proxystylesheet/.

One day after the patch came out, Moore did a bit of Internet analysis and reported this:  "Nov 22 2005 - Quite a few people were wondering what percentage of the Internet-accessible appliances have yet to apply the patch. We decided to do some statistical sampling and find out. We selected 43 appliances at random from a Google query for inurl:proxystylesheet. Of these 43 systems, 23 were confirmed vulnerable (non-invasively), 8 were definitely patched, and the remaining 12 could not be determined one way or another (for a variety of reasons). If we assume this sample was anything close to the real distribution, we are talking about over half (53%) of all appliances being unpatched."