The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.
This looks to me like the script equivalent of an SQL injection attack. In an SQL injection, unverified text is copied into an SQL query, which allows an attacker to execute arbitrary SQL commands. In this 'bad taste' vulnerability, a filename (which can contain almost any possible character) is copied into a small VB script, allowing an attacker to execute arbitrary VB script code simply by giving a file a carefully crafted name.
Aside from the injection vulnerability, this particular version of the attack would not be possible if there had been some extra restrictions on what characters are permitted to be used in filenames (on Linux). Scripting would be a lot easier if one did not have to account for the possibility that people use double quotes, newline characters or even stranger things in filenames. Sadly, there are those who oppose any restriction on which characters can be used in filenames, simply because they want to be able to abuse the filesystem as a cheap hash table with raw binary data as filenames.