The flaw is present due to how Windows resolves hostnames, and would require someone on the outside to have registered a name that is likely to be given out as a DNS suffix. It could potentially be a problem with smaller ISPs, but there are no “reported” attacks using this particular flaw. In a worst-case scenario, a fake WPAD server could issue out bad DNS results to a machine, letting them redirect people to fake sites. The article clams that as many as 160,000 machines in New Zealand could be affected, let alone worldwide, but it is still unlikely that the problem is widespread.
Likely the issue will be fixed in the next patch cycle. Maybe.