Regarding the attack:
I think the attack would not work since the hash part of the key would be different with other than 0 out value.
I don't think so. Check
https://en.bitcoin.it/w/images/en/7/70/Bitcoin_OpCheckSig_InDetail.pngThe script scriptSig is completely removed from the transaction when the hash is performed. It's replaced by a part of the previous scriptPubKey.
