the flaw affects every version of Windows including Vista and is actually the continuation of an old vulnerability that Microsoft supposedly fixed years ago.
The bug, according to Symantec's DeepSight threat notification service, resides in a feature known as Web Proxy Autodiscovery (WPAD), which helps IT administrators automate the configuration of proxy settings in Internet Explorer and other web browsers. The vulnerability can be "widely exploited" to "intercept web sessions, direct browsers to malicious proxies, and effectively gain control over unsuspecting users' web traffic,"
Microsoft appears to have released a patch for the vulnerability in 1999. But the patch only protected domain names ending in.com