This is one of those vulnerabilities than can really bring big problems (like very aggressive worms and viruses) .

The vulnerability is in the Windows DNS client. It seems that it can be exploited by specially crafted Resource Records (RR) in responses from a malicious server. They are not RRs usually present in common users activities queries, but I'm curious about how an attacker can force them to do the "vulnerable query".

I went to check some DNS responses details and I noticed that the server can send "Additional RRs" in the response. My remaining questions are:

1 - Can the exploitable RRs be sent inside the "additional" part of a response to a common A/CNAME query?
2 - Can the vulnerability be exploited when the crafted RRs are inside the "additional" field?
3 - When using recursive queries, additional responses sent by a server are forwarded to the initial source of the query?

Depending on the answers for these questions, the severity level of the vulnerability changes. In the worst case any DNS server and a HTML e-mail can be enough to exploit it.

Another problem can be Windows servers that resolve names (or IPs into names) when logging requests (like webservers and proxys). The malicious guy access the server, that tries to resolve his IP to a name to put it in the log. The answer comes with additional fields carrying the exploit. Bingo! Owned. Wow. While in doubt, folks, patch ASAP.