Microsoft fixes reversible screenshot vulnerability on Windows
Microsoft has pushed an update to fix a screenshot editing vulnerability in Windows 10 and 11, as spotted earlier by Bleeping Computer. The security flaw, dubbed the “aCropalypse,” could let bad actors recover the edited portions of screenshots, potentially revealing personal information that had been cropped out or concealed.
According to Microsoft, the issue (CVE-2023-28303) affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11. However, it only applies to images created in a very specific set of steps. That includes those that have been taken, saved, edited, and then saved over the original file, as well as the ones opened in the Snipping Tool, edited, and then saved to the same location. It doesn’t have any effect on the screenshots modified before saving them and also doesn’t impact screenshots that had been copied and pasted to, say, the body of an email or document.
Microsoft first learned of the issue earlier this week. That’s when Chris Blume, the chair of the working group for the PNG image format, brought it to the attention of David Buchanan and Simon Aarons — the same security researchers who discovered the aCropalypse vulnerability affecting the Google Pixel’s Markup tool. This, similarly, lets hackers reverse the changes made to screenshots, making it possible to reveal the personal information in an image that someone thought they were hiding, whether by cropping it out or scribbling over it.
You can download the latest updates for the affected apps on Windows by heading to the Microsoft Store, clicking Library, and then choosing Get updates. If you have automatic updates enabled, you should notice that the Snipping Tool should be set to version 10.2008.3001.0, while the Snip & Sketch tool will be version 11.2302.20.0. Just like the patch Google issued, Microsoft’s change won’t update the edited screenshots that had already been posted online, though, which could potentially leave thousands of screenshots on the web that bad actors can exploit.