Wouldn't the phone try to open the jpg file as a picture, and not execute it. Just like on desktop PCs: if you rename a .exe (application/program) to a jpg (picture file), and try to open the file, your image program will open the file, thinking it is a image file. The application code will not be executed.
Ideally, yes. But as demonstrated by the Microsoft GDI exploit, just because a file is not executed proper doesn't necessarily mean it's safe from problems in the underlying application.
I'd still say that this isn't really a problem directly (after all, it's considered "safe" to view a webpage with images that are loaded without prompting), but the fact that attachments are automagically loaded does provide a spectacular way to automatically infect a large amount of phones if somebody were to come up with a way to payload an attachment.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
