Web smarts is the main defence against spyware
Over at the Security Fix, Brian Krebs is talking about spyware and the fact that keeping up-to-date on patches, and running current antivirus with current definitions is not enough to protect your machine from spyware. He sums it up by saying common sense is the best defence.
Through the course of the article he hits on a couple points that have made the news lately. One of which is the Sunbelt discovery of a massive identity theft ring, which is mentioned in several postings here, and here.
He also mentions the call at the SANS institute (incidents.org) for links to malware. (Discussed here.) He also mentions a study by Microsoft using their honeymonkeys project that finds a number (750) of web pages that attempted to load malicious software onto a users browser. One attempted to use a previously undisclosed exploit.
He does point out that patching your system keeps out MOST of the bugs and cites a Security Focus study that found that to an unpatched service Pack 2 (winXP) system, there were 257 dangerous sites. Just a partially updated system was only vulnerable to about 10 sites. The bottom line in his article and really for most of the security community is to have a healthy amount of suspicion of links that come in through email unsolicited.
As always the weakest link in computer security is usually the user.