It’s been a while since I did one of these, because, frankly, most security vulnerability reports try to obscure the details of bugs, and it’s a lot of work to go through and verify that a bug is due to bad parsing.
We are aware of targeted attacks, largely in the Middle East and South Asia. … If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.
So we have a zero-day flaw that gets exploited by malformed data—that is, the data should be rejected by the parser, but isn’t.