Google Fix
Google have now patched their boxes, and the last time I saw the exploit working was 5:51 GMT on 20th October 2004, the fix doesn't seem to be complete to me - it still special cases the strings javascript and vbscript, so it's still possible to put things other than http urls into the img (which seems to be the only logical thing to allow to me) This may mean there are remaining vectors to attack, either with different script methods, or by playing with charsets that bypass the filtering.
The Problem
For over two years Google has had an script insertion flaw, I reported it two years ago, and again a couple of months ago, but still it's not been fixed. Google Desktop has made the situation worse, as now google search results include the content of local files in the search results. With this in mind I produced a couple of simple example exploits.
Credit Card Phishing example
You can replace the content of the Google page with your own content, here I replaced it with a simple credit card submission form suggesting that google will shortly become a subscription service. Screenshot of it in use.
The desktop sniffer example
Visit Google with this link, and the inserted google desktop search for password will be reported to my site.
The exploit might be easier to do with a custom form: