It's an attachment naming confusion, you still need to run an attachment from some rando, it's mostly exploitable on Windows, which is not where most people run Telegram, and it's already fixed. I think your description is pretty misleading.