Security News > 2023 > March > Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store

Traditional, well-behaved image viewers, including the very tool you just used to crop the file, would ignore the extra data, but deliberately-coded data recovery or snooping apps might not.

The low-level details of the bug were different, not least because Google's app was coded in Java and used Java libraries, while Microsoft's apps are written in C++ and use Windows libraries, but the leaky side-effects were identical.

The good news for Windows users is that Microsoft has now assigned the identifier CVE-2023-28303 to its own flavour of the aCropalypse bug, and has uploaded patched versions of the affected apps to the Microsoft Store.

In our own Windows 11 Enterprise Edition install, Windows Update showed nothing new or patched that we needed since last week, but manually updating the Snipping Tool app via the Microsoft Store updated us from 11.2302.4.0 to 11.2302.20.0.

We're not sure what version number you'll see if you open the buggy Windows 10 Snip & Sketch app, but after updating from the Microsoft Store, you should be looking for 10.2008.3001.0 or later.

The Microsoft Store's own pitch for the Snipping Tool describes it as a quick way to "Save, paste or share with other apps."

News URL

https://nakedsecurity.sophos.com/2023/03/27/microsoft-assigns-cve-to-snipping-tool-bug-pushes-patch-to-store/