If your security depends on no format with undesirable properties existing then you have no security. The problem here is not the zip format but insufficient validation for the images you accept - the hidden data could be any ad-hoc format. Message smuggling in image files in particular is only something you can prevent if you re-encode the image -- and even then it's possible to hide messages in the image data in ways that will survive re-encodes.