> If their patch just looks through the code for '0xf0, 0x0f, 0xc7, 0xc8' 
> when exec()'ing, then what stops the malicious from reassembling the
> sequence at runtime?

A description of the files touched by the patch was sent to bugtraq;
it claimed that only machdep.o and locore.o were touched, which
suggests to me that something subtler and more effective than a
brute-force search for the instruction pattern at exec time was done..