Microsoft announced a new information disclosure vulnerability on Friday for a bug affecting both Windows 10 and Windows 11 screenshot editing tools.
This vulnerability (CVE-2023-28303), known as aCropalypse, allows malicious attackers to restore portions of screenshots, potentially exposing sensitive information.
Learn more about malware with screenshot support: New threat group reviews pre-attack screenshots
This vulnerability affects Snip & Sketch on Windows 10 and Snipping Tool on Windows 11 (but not Snipping Tool on Windows 10). According to Microsoft, it has a low CVSS score of 3.3 and requires user interaction to exploit.
“This vulnerability is of low severity because successful exploitation requires uncommon user interaction and several factors beyond the attacker’s control,” the advisory states. It has been.
A user must create the image under certain conditions for an attacker to exploit this issue.
-
You should take a screenshot, save it to a file, edit it, and save the modified file to the same location.
-
You should open the image in Snipping Tool, edit it, and save the modified file in the same location.
“For example, if you take a screenshot of your bank statement, save it to your desktop, and then crop the account number before saving it to the same location, the cropped image still contains the account number in a hidden form. It is possible and can be restored by anyone with access to the complete image file,” Microsoft revealed.
“However, if you copy the cropped image from the Snipping Tool and paste it into an email or document, the hidden data will not be copied and your account number will be safe.”
The tech giant has released fixes for flaws in both screenshot tools. Users can implement the patch by updating to version 10.2008.3001.0 (Snip and Sketch) and version 11.2302.20.0 (Snipping Tool).
This update comes a few weeks after Microsoft fixed two zero-day vulnerabilities in its March patch patch.
