In some close reading of the OpenBSD kernel (for example) you'll notice that the shebang line is handled directly by the underlying exec() call. This is partly where the old thing about interpreted scripts under SUID had issues - #1 the OS reads the file, #2 interpretes the shebang, #3 executes the interpretor, #4 the interpretor reads from the already open file and executes. The attack was to replace the OK code with bad code somewhere between step #1 and step #4.

I think the fix was to prevent the non-SUID user from getting access to the SUID's user's about-to-be-passed filehandles though I don't really recall.