1. This is not a vulnerability in Telegram. This is vulnerability in the way Windows processes malicious RLO characters in downloaded files. See: https://cdn.securelist.com/files/2018/02/180212-telegram-vul.... The users must click past the security warning (unless they have manually disabled it in system settings), download the file to their machine, and run it.
2. This vulnerability is a phishing vector, not a "0-day" (which these days, is a marketing term). It allows you to send a user a file to compromise their machine, not the Telegram desktop application. Telegram is therefore the channel which can be used to execute a phishing attack. An email client would also be a channel.
Kaspersky is trying to get eyeballs by checking off a bunch of boxes in the tech zeitgeist: Telegram, controversy over Telegram's security, cybercrime, cryptocurrencies and mining. They've baked a narrative that is specifically designed to market Kaspersky's services to its readers by dropping a bunch of keywords - the scenarios presented are so far removed from the standalone technicalities of the vulnerability that it's no longer even honest.
Exploitive security marketing and the uninformed journalism that follows it around is going to give me an ulcer.
Feels like Telegram should be on the hook for protecting against this. It does work with email too, and not really Telegram's fault. Nonetheless, the expectation for them to deal with it seems reasonable to me.
> Attackers used a hidden Unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their computers.
> Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer.