It's no longer necessary to run attacker code on the victim system.
https://arstechnica.com/?p=1349267