Since the mention of OpenSSH can cause readers to jump to false conclusions: This attack still requires that the attacker's code runs on the victim machine; it is not a remote vulnerability.

(I don't think the authors implied otherwise, I just know that I somehow got confused for a second.)