Effectively you could embed anything you like in a picture. For example in the EXIF data. If a photo viewer in fact has a vulnerability you could (under certain circumstances) cause a buffer overflow and execute arbitrary code on the targeted machine. It wouldn't be the first time that something like that is being used to take over a machine.