Security News > 2023 > March > Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.
"If you take a screenshot of your bank statement, save it to your desktop, and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file," Microsoft explains.
The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping Tool installed on Windows 11.
aCropalypse first came to light on March 18, 2022, when it was found that a bug in Google Pixel's Markup tool made it possible to retroactively reverse the changes introduced to screenshots, thereby recovering personal information from redacted screenshots and images, including those that have been cropped or had their contents masked.
The shortcoming has existed since the release of the Markup utility with Android 9 Pie in 2018, and images already shared over the past five years are vulnerable to the Acropalypse attack, raising possible privacy concerns.
"You can patch it, but you can't easily un-share all the vulnerable images you may have sent," Buchanan said in a tweet, describing it as a "Bad one."
News URL
https://thehackernews.com/2023/03/microsoft-issues-patch-for-acropalypse.html
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft to remove the Location History feature in Windows (source)
- WinRAR 7.10 boosts Windows privacy by stripping MoTW data (source)
- New WinRAR version strips Windows metadata to increase privacy (source)