Microsoft has released an Emergency Security Update for Windows 10 and Windows 11 Snipping Tool to address Acropalypse’s privacy vulnerability.
The Acropalypse vulnerability, now tracked as CVE-2023-28303, is caused by image editors improperly removing cropped image data when overwriting the original file.
To exploit this vulnerability, the image must be created under very specific conditions as listed.
The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control. For an image to be subject to this issue, a user must have created it under specific conditions:
- The user must take a screenshot, saved it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
- The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.
According to the information provided by Microsoft, “The default Snipping Tool in Windows 10 and older versions are unaffected. Only Snip & Sketch in Windows 10 and Snipping Tool in Windows 11 are affected by this vulnerability. A security update has been released for these applications, which are available through the Microsoft Store.”
This is the information provide to verify if the system is affected:
- For Snip and Sketch installed on Windows 10, app versions 10.2008.3001.0 and later contain this update.
- For Snipping Tool installed on Windows 11, app versions 11.2302.20.0 and later contain this update.