Microsoft Issues Emergency Windows Patch For Acropalypse Privacy Flaw, Download ASAP
The issue in both Google's Pixel image editor and the Windows cropping tool comes down to what the software does with cropped data. It's supposed to be discarded, but security researchers discovered that excess data was retained after the IEND file marker, which is supposed to be the end of a PNG file. This doesn't affect every image, but saving over top of another file triggers the bug every time. For example, if you take a screenshot and then realize you need to crop something out of it, so you edit and save again with the cropping tool.
With a little patience, it's possible to recover the cropped parts of the file. It might not seem like a big deal, but people often use the cropping tool to hide personal information like emails or account numbers. Microsoft has noted in its security update center for CVE-2023-28303 that the vulnerability is easy to exploit, but it has marked it as low severity because it requires user interaction (saving the file).
Version 11.2302.20.0 of the Snipping Tool has been patched for Acropalypse
Microsoft has released an OOB (out-of-band) update for this flaw, but it won't require a full system update like most exploits. The Windows 11 Snipping Tool is hosted in the Microsoft Store, so it's a relatively simple matter to push an update there. If you've ever opened the store, you probably have the default update settings, which allows apps to update in the background. Thus, you may already have v11.2302.20.0 with the bug patch.
If you want to make sure your Windows 11 editing tool is fixed, just open the Microsoft Store and click on Library. From there, you can see all the installed apps, and which (if any) have updates. Simply verify that the Snipping Tool is up to date, and you'll be safe from this bug. Windows 10 and earlier are not affected.
