Security News > 2024 > April > Telegram fixes Windows app zero-day caused by file extension typo
This caused the file to automatically be executed by Python without a warning from Telegram like it does for other executables, and was supposed to do for this file if it wasn't for a typo.
In a statement to BleepingComputer, Telegram rightfully disputes that the bug was a zero-click flaw but confirmed they fixed the "Issue" in Telegram for Windows to prevent Python scripts from automatically launching when clicked.
"Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some"experts" recommended to "disable automatic downloads" on Telegram - there were no issues which could have been triggered by automatic downloads.
The Telegram Desktop client keeps track of a list of file extensions associated with risky files, such as executable files.
Pyzw file extension with the Python executable, causing Python to execute the scripts automatically when the file is double-clicked.
To masquerade the file, researchers devised using a Telegram bot to send the file with a mime type of 'video/mp4,' causing Telegram to display the file as a shared video.
News URL
Related news
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)