Yeah, I was disappointed as well. This "zero day remote code execution" actually is not much more than good, old "important_document.pdf.exe" just slightly more obscure.
The "exploit" doesn't even have anything to do with Telegram specifically (except presumably that there's some known real world use on that platform). I'm surprised at this kind of article coming from Kaspersky.
The aricle says it was discovered in October 2017, and that they "informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products".
This is mildly off topic but regarding clickbait titles, does anyone have any good idea how we can stop them? Because everybody hates them, but everybody clicks on them. Seriously, I hate the way BBC News has turned into a clickbait nightmare; but I still clicked on the "my husband turned into an otter, then became a security professional" link, or whatever it was.
It's a knotty problem. Also exploits in software bad.
This article is atrocious. It has a clear agenda motivating its publication that is simply at odds with facts.
1. This is not a vulnerability with Telegram. The headline is deliberate clickbait, and the article’s Telegram-centric presentation doesn’t redeem it.
2. This is not a remote code exeution vulnerability, or even a “0-day” (for whatever meaning that term still has...). This vulnerability is a malicious file upload combined with a clever phishing vector.
The reporting is exceptionally bad - so much so that it is difficult for me to attribute it to simple ignorance. It is very clearly trying to hit several checkboxes for what is otherwise a non-story:
* Telegram
* Cybercrime
* Cryptocurrencies/Mining
The entire narrative is carefully constructed with keywords that have no hard relation to the vulnerability whatsoever - it feels like I’m reading a bug bounty report where someone extrapolates a minor endpoint security or phishing vulnerability to whatever they think will get the most attention to the report.
Reporting like this almost makes me wish for Gell-Mann Amnesia in my own field.
"Hello! I'm russian remote code execution vulnerability, please run me and ignore system security warning. Also, you may want to delete your Documents and Settings folder, just press Del button and then Continue"
As a security researcher who tends to focus a bit on user interaction and phishing vectors you are 100% correct, but also representing part of the problem. Too often we discount vulnerabilities which users have to click-through to execute. Unfortunately users do ignore system security warnings. Unfortunately when given a dialog where they can choose security over doing their job, they'll do their job.
I've actually presented user interaction vulnerabilities to development teams in an interactive environment where I describe the vulnerability. I show them where it's at, I show them the dialogs they must be cautious about and even with all of this education they still fall for my attack running on their network. As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
> As an industry we've got to stop discounting vulnerabilities as not serious because they require user interaction which involves clicking through security warnings.
Maybe give it an actual name. Something like Vibkac: Vulnerability is between keyboard and chair.
I didn't quite understand the "Remote control" scenario; is the victim becoming a telegram bot, where the attacker sends commands to the bot and the bot executes stuff on the victim system?
I think its basically that the malware uses telegram bot API as a CGI. Probably not a smart attack and sounds like something someone naive but familiar with writing messenger bots might try.
Even the source article says just "zero-day".
Also, tldr: Using Unicode Right-To-Left, you can make Telegram show file name "gpj.js" as "sj.jpg". That's all.