The Redmond, Washington-based tech giant said a security flaw had been found in the Windows 10 and 11 Snipping Tool application, sometimes known as the “Acropalypse” vulnerability. The bug, categorized as CVE-2023-28303, means that image editors haven’t been removing cropped image data when the original file is overwritten.
While Microsoft said the vulnerability was rated as “low” in severity, the firm told news outlets last week that “we have released a security update for these tools via CVE-2023-28303. We recommend customers apply the update.”
“The severity of this vulnerability is low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control,” said Microsoft in its bulletin, adding that an image that can be exploited has to meet one of two conditions.
“The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location,” the bulletin stated.
The other condition is that “the user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.”
It noted: “For example, if you take a screenshot of your bank statement, save it to your desktop, and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file.”
But if a user copies the cropped image from the Snipping Tool program and pastes it into a document or email, anything that has been cropped out or hidden—such as an account number—won’t be copied, Microsoft noted.
To exploit the flaw, an attacker could recover portions of the original image when an image is partially overwritten, the firm said.
To install the update, a user can open the Microsoft Store, go to the library, and click “get updates.” Then they can apply the latest patch to Windows Snipping Tool.
“It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. You can get the update through the store by following this guide: Get updates for apps and games in Microsoft Store. Based on your operating system, Microsoft Store will display the update that is available for the Snipping Tool you have installed,” the company says.
