I saw on Eddie's blog last week a post titled "Oracle Responds to the Password Hashing Algorithm Paper
" which replicates an email from Oracle support refuting some of the claims in Josh and Carlos' paper. It starts with a statement that says the paper describes possible attacks when the hacker has the password hash available - This as I have said previously is the key to the weaknesses. The second paragraph suggests using industry standard practices for protecting databases. This I feel refers to password choice and also to the protection of the hashes from being accessed. The email finally points to a metalink note Doc ID is 340240.1.
which details steps to protect against these types of attack.