>I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.

However, the JavaScript shouldn't execute if the image is embedded via <img>.