Actually when they released the initial vulnerability info, they also stated their research wasnt concluded. At that point they had only tested it on a few systems(actually i think only one). About a week later they issued this statement:
"We have inspected this issue a bit more, and found out that on most Unix systems
the buf buffer is not followed by such data. We base this conclusion upon the
simple fact that we didn't manage to crash sendmail by feeding it with 250
sequences of <> chars in the from address string. This means that this issue does
not seam to be exploitable on them. The following table presents a summary of
our findings:
Freebsd 4.4 - (default & self compiled Sendmail 8.11.6) does not crash
Solaris 8.0 x86 - (default & self compiled Sendmail 8.11.6) does not crash
Solaris 8.0 sparc - (default & self compiled Sendmail 8.11.6) does not crash
HP-UX 10.20 - (self compiled Sendmail 8.11.6) does not crash
IRIX 6.5.14 - (self compiled Sendmail 8.11.6) does not crash
AIX 4.3 - (binary of Sendmail 8.11.3 from bull.de) does not crash
RedHat 7.0 - (default Sendmail 8.11.0) does not crash
RedHat 7.2 - (default Sendmail 8.11.6) does not crash
RedHat 7.3 (p) - (patched Sendmail 8.11.6) does not crash
RedHat 7.0 - (self compiled Sendmail 8.11.6) crashes
RedHat 7.2 - (self compiled Sendmail 8.11.6) crashes
RedHat 7.3 - (self compiled Sendmail 8.11.6) crashes
Slackware 8.0 (p) - (patched Sendmail 8.11.6 binary) crashes
Slackware 8.0 - (self compiled Sendmail 8.12.7) does not crash
RedHat 7.x - (self compiled Sendmail 8.12.7) does not crash"
You can read there full finding on the vulnerability here:
http://lwn.net/Articles/24292/ Other people have written exploits for this vulnerability but not as many systems as you think are vulnerable.
