Hi Andrew,
I think it's good to keep this thread open in the name of transparency!
The blog list page is something I coded myself and therefore I know there is nothing dodgy within it. I've done some quick googling on the exploit:-
National Vulnerability Database (NVD)National Vulnerability Database (CVE-2009-0075)
I don't know how technical you are, but to paraphrase the details in the above link: it seems that there was a bug in the way IE7 handled errors in deleted webpage elements and it was possible to make a webpage that could create/delete objects to force this to happen.
Given that this vulnerability only existed in unpatched versions of IE7, and you weren't even running IE7 I am 99.999% confident that your machine is uncompromised and that this message is NIS throwing a false positive.
Furthermore, this exploit does not work via an inbound dodgy connection back to your PC - it works by the webpage's Javascript exploiting IE's memory leaks and therefore allowing the webserver to run code on the user's machine. If there was a connection back to your PC, it would be very unlikely to be from port 80 (this is the standard WWW port). The port 1281 is actually the port on your machine that connected TO the webserver on port 80 - even though that error message makes it look like port 80 connected back to your machine.
The only explanation I can think of is something caused an error in the process of deleting an object (maybe the homepage hadn't completely finished loading when you clicked on the List Blogs link) and NIS thought it was an attempt to exploit this bug in IE. What I don't understand is why I haven't seen it, as I run NIS and Firefox 3.07 and must have clicked around thousands of times since I started working on the site.
Anyway I hope this relieves you somewhat
Cheers
Joe