Microsoft has released an emergency security update for the Windows 10 and Windows 11 Snipping Tool to address the Acropalypse privacy vulnerability.

Now identified as CVE-2023-28303, the Vulnerability to acropalypse is caused by image editors not properly removing cropped image data when overwriting the original file.

For example, if you take a screenshot and crop sensitive information, such as account numbers, you should reasonably expect that such cropped data will be deleted when the image is saved.

However, with this bug, both the Google Pixel Markup Tool and the Windows Snipping Tool left the cropped data in the original file.

For example, in the image below, you can see how additional data is saved after the IEND file marker, which indicates the end of a PNG file. Normally there should be no data after the IEND marker.

This additional data could be used to partially recover the content of the cropped image, potentially exposing sensitive content that was never meant to be public.

Security researchers told BleepingComputer that the number of public images affected by this flaw could be high, with VirusTotal alone hosting more than 4,000 images affected by the Acropalypse bug.

Therefore, on image hosting services, the number of images impacted by Acropalypse is likely much higher.

Microsoft releases OOB security update

As BleepingComputer reported, Microsoft was test a fix for the Windows 11 Snipping Tool bug in the Windows Insider Canary channel.

Last night, Microsoft released security updates for the Windows 10 Snip & Sketch and Windows 11 Snipping Tool programs to address the Acropalypse flaw.

“We have released a security update for these tools via CVE-2023-28303. We recommend that customers apply the update,” Microsoft told BleepingComputer.

After installing this security update, Windows 11 Snipping Tool will be version 10.2008.3001.0 and Windows 10 Snip & Sketch will be version 11.2302.20.0.

Microsoft is now tracking the vulnerability as CVE-2023-28303 and titled it “Windows Snipping Tool Information Disclosure Vulnerability”.

The vulnerability is classified as “low” in severity because it “requires uncommon user interaction and multiple factors beyond an attacker’s control.”

1. The user needs to take a screenshot, save it to a file, edit the file (e.g. crop it), and then save the edited file to the same location.
2. The user must open an image in Snipping Tool, edit the file (eg crop it), and then save the edited file to the same location.

That said, in our experience, it’s not uncommon to take a screenshot, save it, then realize you need to crop something, then overwrite the original image. This image would now have been affected by the bug.

The good news is that regardless of how the image is created, if you don’t share an affected image publicly, you’re unlikely to have the flaw exploited unless your device is compromised.

To install security updates, open the Microsoft Store and go to Library > Get Updates, and the latest version of Windows Snipping Tool will be automatically installed.