Microsoft Fixes Security Flaw in Windows Screenshot Tools

Microsoft announced a new information disclosure vulnerability on Friday, for a bug affecting its screenshot editing tools in both Windows 10 and Windows 11. 

The vulnerability (CVE-2023-28303) is called aCropalypse and could enable malicious actors to recover sections of screenshots, potentially revealing sensitive information. 

Read more on screenshot-supported malware here: New Threat Group Reviews Screenshots Before Striking

The flaw affects Snip & Sketch in Windows 10 and Snipping Tool in Windows 11 (but not Snipping Tool in Windows 10) and has a low CVSS score of 3.3, according to Microsoft, as it requires user interaction to be exploited.

“The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control,” reads the advisory.

For an attacker to exploit the issue, a user must have created an image under specific conditions: 

  • They must take a screenshot, save it to a file, edit it and then save the modified file to the same location.

  • They must open an image in the Snipping Tool, edit it and then save the modified file to the same location.

“For example, if you take a screenshot of your bank statement, save it to your desktop and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file,” Microsoft clarified.

“However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied and your account number will be safe.”

The tech giant has now released fixes for the flaw in both screenshot tools. Users can implement the patches by updating to version 10.2008.3001.0 (Snip and Sketch) and version 11.2302.20.0 (Snipping Tool).

The updates come weeks after Microsoft fixed two zero day vulnerabilities in its Patch Tuesday update for March.

What’s hot on Infosecurity Magazine?