I brought up this latest IE exploit with a friend from the toolbar team (an ex-Microsoftie). He said (if I understood him right) that for whatever reason the jpeg code is often statically linked into programs.
I remember almost immediately after MS added "favicons" to IE, people were putting core files there -- just about anything that wasn't a BMP would crash whichever version of IE that was as soon as you tried to bookmark the page.
That's highly annoying. Not because it crashed my browser, but because it swapped out everything! And my galeon got sporadically really slow after i closed the tab it was opening in. I have to wonder what exactly was causing that behavior.
Also fun: save it to your Desktop. Nautilus absolutely loves it.
I think part of the problem is that affected apps use GDI+, the new Win32 graphics API. Since GDI+ is relatively new, it's only included with XP and newer versions of Windows, so developers that want to use it need to distribute gdiplus.dll with their application. To prevent "DLL Hell" (versioning issues), these apps often install gdiplus.dll into their own directory instead of the system32 directory. Of course, this means that they need to be individually upgraded.
what's really scary is the script kiddie friendly metasploit framework which greatly simplifies the process of going from POC to effective exploit. I have a feeling exploits are going to start popping up around 5pm eastern tomorrow...