The #badBIOS malware that Dragos Ruiu is currently analyzing allegedly modifies TrueType font files on compromised systems. Obviously the “evil thumb drives” that infect the machines use some kind of exploit that allows low level access. This likely occurs during USB device enumeration. Once on the system TTF files are modified (amongst many other things). No doubt this is one way that the malware can execute their payload which likely ensures that any future thumb drives that are inserted into the machine from that point on have their firmware reflashed to continue spreading itself.
Microsoft released a security bulletin (MS13-081) on October 8 that mentioned a vulnerability in TTF handling that may allow arbitrary code to be executed, stating that:
The security update addresses these vulnerabilities by correcting the way that Windows handles specially crafted OpenType Font files and specially crafted TrueType Font (TTF) files, and by correcting the way that Windows handles objects in memory.
No doubt that until further information is released by Ruiu I cannot conclusively verify any of the information presented.
UPDATE: Mircea over at Trilema seems to believe that this is all bunk. At this point it is difficult to conclusive say but as they say extraordinary claims require extraordinary evidence.