You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).
Exploiting a vulnerability before a malicious entity does actually is helpful because you can be prepared and patch it before shit happens. Whether or not what Kaspersky found is a vulnerability to begin with is another question (which I believe is not, like all of you).