I only watched the beginning at this point, but the presenter says something that does not bode too well for the rest. Speaking about how it was bad that the client side parser was insecure, especially for setuid clients:
This code was written in the eighties with the assumption that the server is trusted so there is little validation on the client side.
Well, of course the server is trusted. This is the code which runs on your local workstation. If your input terminal is compromised, you're so hosed anyway that it's not really worth considering exactly what hole they will be using !