April 13, 2024 at 07:43AM
Telegram addressed a zero-day vulnerability in its Windows desktop app, allowing the automatic launch of Python scripts. Initially disputed, it was confirmed that a typo in the source code allowed bypassing security warnings when clicking on Python .pyzw files disguised as videos. Telegram fixed the issue with a server-side fix, ensuring future versions include a security warning.
Based on the meeting notes, the key takeaways are:
1. Telegram had a vulnerability in its Windows desktop application that allowed Python scripts to be automatically launched through a typo in the file extension handling.
2. Rumors about zero-click vulnerabilities in Telegram Desktop were found to be inaccurate. Instead, a user needed to click on a malicious file while having the Python interpreter installed on their computer for the vulnerability to be exploited.
3. Telegram implemented a server-side fix to prevent Python scripts from automatically launching when clicked.
4. Telegram also applied a server-side fix that appends the “.untrusted” extension to certain files, causing Windows to prompt users to choose a program to open them with, rather than automatically launching in Python.
5. Future versions of the Telegram Desktop app are expected to include a security warning message, providing enhanced security.
If you need further information or details on any of these points, feel free to ask.