matthijs wrote:I wouldn't know.
What is wrong having a JPEG file that contains PHP code in comment section, for instance? Why would an antivirus detect it as a virus? That would be utterly retarted.
matthijs wrote:With the cookies and stealing of them that is just one example of how images can be misused isn't it?
I am a defender, not a cracker. I am honestly not that interested in knowing what kind of damage are you capable of doing. Yes, there are plenty of evil things you do not want to happen. The most weird what I know is that someone made Flash to record user's web camera which showed the user typing his password and username. That was exotic one.
matthijs wrote:Great. So what you basically say is I should, from now on, besides not running Java, not running javascript, no flash, also block images on all sites I visit? That's no fun anymore, I better start reading books again

I have said many times every here and there that current web browser and web security is rotten. There are reasons why I have said that... I have sooo many suggestions for building up a better web. I would love to throw some at Chrome, because it is still so young.
Note that this is nothing new. When I installed Java and Flash for the first time, I knew they would have security vulnerabilities and would put me in a risk. It is always a risk to install anything on your computer. JavaScript allows XSS while Flash, Java, Silverlight, etc create their own issues.
matthijs wrote: 
that's a nice solution. We just tell our client for which we build a community website, that the image uploading part will not be build in but go through Flickr, to make sure that their lawyers can always blame Flickr if something goes wrong ...
Just buy two domains: yoursite.com and yourfiles.com. You do not need two servers. You just upload to another folder and serve them through different domain.
/home/yoursite.com/htdocs/uploader.php
uploads the image to:
/home/yourfiles.com/images/newimage.jpg