how exactly do you access a kernel from the network without going via an application?
Hrm, I'd guess you're probably twenty-five or younger, given that question. You missed some good times.
Back in the day the TCP/IP stacks had quite a few bugs in them. Just about everyone lifted code from BSD 4.x (yeah, the original BSD). Once exploits for those started coming out, it was a race to see who could fix them the fastest. Linux (and I assume the BSDs, although I didn't follow them then) usually had a fix out within hours - Microsoft usually didn't have a fix for months, which did a lot for their poor security reputation back then.
The funny bit was when Microsoft released a fix for one of the exploits, which opened up another exploit, so you were guaranteed any Windows machine could be brought down by one or the other. I used that against IRC trolls back in the day. One little ping o' death would lock their machines hard. Not that I'd do that these days...
Anyway, check out this page for more info on it. Nowdays, of course, most of the TCP/IP bugs have been worked out, so this type of thing hasn't really been much of an issue for a while now. However, it's still possible there's bugs that haven't been found.
As an aside, my roomates and I discovered that NT 4.0 on Alpha would just stop if you flood pinged it. We called it the "remote pause button," because it would go on as if nothing had happened as soon as you stopped pinging it. Our friend who had the Alpha on the network was not amused.