Are you not counting that the attack was made available as a module for Metasploit about 36 hours before this was posted? Also, the fact that the technique of DNS cache poisoning is very old is irrelevant. Almost all (if not all) new exploits are applications of very old techiniques.

“Q: But couldn’t the criminal attack and “own” the user’s browser?
A: Only if that browser was vulnerable anyway. ”

Or you are running JavaScript, which almost every browser is. Even if you are using FireFox with NoScript, if it is a trusted site, you likely will have allowed the site to execute JS in your browser. See Jeremiah’s Black Hat presentations from 2005 and 2006.
http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-grossman.pdf
http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and-defcon.html

“But even if all of these things fail, the criminal still only has ownership of PCs in your company which have visited the same site.”

But once the criminal has control over 1 computer, he can cause that computer to initiate requests for any domain he wishes, launching his UDP flood at the same time, and thereby poisoning even more domains for that company. Not to mention he then has some degree of access behind your firewall and can begin probing your internal network; and that is still with nothing more than JS.

“Q: Couldn’t the criminal snooker the user into typing in personally identifying information to be exploited later?
A: Only if that user would have done so anyway. If the new site has a certificate, it will fail and the user will get certificate errors in the browser.”

Why wouldn’t the user type their login information into their bank’s website? As far as the certificate is concerned, a couple of other options here. The more likely is that “Mallory” will get a valid cert on a look-a-like domain and the user isn’t likely to notice the difference. More evil, but substantially less likely, if a cert vendor has their DNS cache poisoned then Mallory could get a cert with the real domain name issued for his site. Many cert vendors will issue a basic cert with little more than an uploaded CSR and a matching file on the server. The criminal doesn’t have to redirect to the bank, thereby revealing a single IP; the criminal could just put up a “service unavailable” notice after login.

“The ISP hosting the poisoned DNS would probably get support calls from customers unable to get to their search engine”

Because all of those people using free WiFi at coffee shops know who to call for support? What are they going to do? Tell the barista they can’t get to a specific web site? The barista has more important things to worry about, like was that a half-foam, no-fat or a no-foam, half-fat latte?

“Q: Couldn’t criminals perform man-in-the-middle (MITM) attacks?
A: Sure, but consider the volume and the processing power they’d require.”

It would not require much processing power at all to copy all emails sent to a domain and then forward the message on to the intended mail server.