Super cool name!
But looking into it it seems they're saying they can store executable code (though limited to 255 bytes in length according to the MS docs) as a string in an atom table. They probably should be able to do this, shouldn't they? How could the atom table code tell if the bytes make up a string or an executable?
The issue seems to be that applications can read those strings and then be tricked into executing them. That's applications that trust their input too much. The idea that the atom tables are at fault because they're the source of that input seems a bit weird.
When you go to retrieve a string that someone else wrote you should validate it. You certainly shouldn't execute it. Wherever it comes from.