There are a couple of factors that minimise the threat associated with the photos laced with Shah’s code. First, as mentioned above the exploit works on vulnerable browsers. If you open the picture on any desktop photo viewing application it is completely harmless. Secondly, the image you upload on the internet should be devoid of any extensions. This means you cannot upload a tainted image on websites like CrazyEngineers where we allow files of certain extensions to be uploaded. Finally, it is near impossible to successfully upload these images on social networking websites because services like Facebook and Google+ like to get rid of unnecessary data on any image before upload.
Saumil Shah discussed his findings at the HITBSecConf 2015 held at Amsterdam on 28th May. Before his presentation he sat down with the folks over at Motherboard to show them how he was able to inject the codein a picture and wreak havoc on an infected PC.
Source: Crazy Engineers