Microsoft has issued emergency fixes to patch the “aCropalypse” Windows 10 and 11 security flaw that allowed malicious actors to reveal the unedited contents of a cropped screenshot.
As Bleeping Computer reports(Opens in a new window), the privacy vulnerability was caused by Windows 11’s Snipping Tools and Windows 10’s Snip and Sketch app not properly removing cropped image data when overwriting the original file.
The flaw, noticed by retired software engineer Chris Blume(Opens in a new window), raised serious concerns that bad actors could recover original uncropped files, and therefore access private information such as credit card details or passwords.
In a statement to Bleeping Computer about the bug, formally called CVE-2023-28303, Microsoft said Saturday: “We have released a security update for these tools via CVE-2023-28303. We recommend customers apply the update.”
The security updates can be downloaded by opening the Microsoft Store and clicking on “Library” before “Get Updates.”
According to security researchers who spoke to Bleeping Computer, the number of public images impacted by the Acropalypse bug is likely to be “much higher” than 4,000.
On its official blog for security updates, Microsoft described(Opens in a new window) the vulnerability as “low” in severity because “successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control.”
Recommended by Our Editors
For a file to be exposed to the flaw, a user must take a screenshot, save it to a file, crop that file, and then save the modified file to the same location. Users can also have their files exposed if they open an image in Snipping Tool, crop it, and then save the cropped file to the same location, Microsoft posted.
Microsoft added that common practices like copying an image from Snipping Tool or modifying it before saving it did not expose the file to the bug. And only publicly shared files can be affected, unless the device it was modified on is compromised, the company confirmed.
As Engadget notes(Opens in a new window), the vulnerability was first discovered on Pixel devices, and affected Pixel’s Markup Tool. Google promptly fixed the issue in its March security update, however.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
