Microsoft has released an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability. The vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file.
The bug, called the Acropalypse, affects both the Google Pixel’s Markup Tool and the Windows Snipping Tool. Both tools leave the cropped data within the original file, potentially exposing sensitive content that was never meant to be public.
Security researchers have told BleepingComputer that the number of public images impacted by this flaw may be high, with VirusTotal alone hosting over 4,000 images affected by the Acropalypse bug.
Microsoft publicly released security updates for both the Windows 10 Snip & Sketch and Windows 11 Snipping Tool program to resolve the Acropalypse flaw.
After installing this security update, Windows 11 Snipping Tool will be version 10.2008.3001.0, and Windows 10 Snip & Sketch will be version 11.2302.20.0. Microsoft is now tracking the vulnerability as CVE-2023-28303 and titled it “Windows Snipping Tool Information Disclosure Vulnerability.”
The vulnerability is classified as “Low” severity because it “requires uncommon user interaction and several factors outside of an attacker’s control.”
However, in practice, it is not uncommon to take a screenshot, save it, and then realize you need to crop something out and then overwrite the original image.
This image would now have been affected by the bug. The good news is regardless of how the image is created, if you do not share an affected image publicly, you will have little risk of the flaw being exploited unless your device is compromised.
To install the security updates, users need to open the Microsoft Store and go to Library > Get Updates, and the latest version of the Windows Snipping Tool will be automatically installed.
