Microsoft has taken swift action to address the ‘Acropalypse’ bug, which we reported on earlier this week. The bug allowed information cropped out of images using Windows screenshot tools to be recovered. According to BleepingComputer, Microsoft has issued an out-of-band (OOB) update, designated CVE-2023-28303, to fix the issue. The company recommends that users apply the update as soon as possible.
The process for applying the update is simple. Users can go to the Microsoft Store, click the Library icon on the left, and select Get updates from the top right. This will prompt the patch to be applied unless it has already been automatically installed.
Similar to the vulnerability that affected the Markup feature on Google Pixel phones, compromised images and screenshots cropped in the Windows 11 Snipping Tool and the Windows 10 Snip and Sketch tool. Specifically, parts of a PNG or JPEG image that had been cropped out were not correctly removed from the file after it was saved again. These cropped sections could contain sensitive information like bank account details or medical records.
It is important to note that applying the patch will not fix any files that have already been cropped. Users will need to recrop existing images to ensure that excess parts of the picture have been appropriately removed.
While the ability to recover cropped-out parts of images may not initially seem like a significant security vulnerability, it can be problematic. Tech journalists, in particular, understand that personal information such as email addresses, bank account numbers, and contact names must be cut out of pictures before sharing them widely on the internet. With so many of us sharing our photos with others, it is crucial from a security perspective that these images only reveal what we intended, which was the issue with CVE-2023-28303.
Although Microsoft has acted quickly to test and apply the fix, it is concerning that this same bug has appeared separately in software from Microsoft and Google recently.