- This power bank is thinner than your iPhone and this Black Friday deal slashes 27% off the price
- New Levels, New Devils: The Multifaceted Extortion Tactics Keeping Ransomware Alive
- Elden Ring, 2022's Game of the Year, hits a record low price of $20 on Amazon for Black Friday
- This is the best car diagnostic tool I've ever used, and it's only $54 in this Black Friday deal
- This robot vacuum has a side-mounted handheld vacuum and is $380 off for Black Friday
Microsoft Fixes Security Flaw in Windows Screenshot Tools
Microsoft announced a new information disclosure vulnerability on Friday, for a bug affecting its screenshot editing tools in both Windows 10 and Windows 11.
The vulnerability (CVE-2023-28303) is called aCropalypse and could enable malicious actors to recover sections of screenshots, potentially revealing sensitive information.
Read more on screenshot-supported malware here: New Threat Group Reviews Screenshots Before Striking
The flaw affects Snip & Sketch in Windows 10 and Snipping Tool in Windows 11 (but not Snipping Tool in Windows 10) and has a low CVSS score of 3.3, according to Microsoft, as it requires user interaction to be exploited.
“The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control,” reads the advisory.
For an attacker to exploit the issue, a user must have created an image under specific conditions:
-
They must take a screenshot, save it to a file, edit it and then save the modified file to the same location.
-
They must open an image in the Snipping Tool, edit it and then save the modified file to the same location.
“For example, if you take a screenshot of your bank statement, save it to your desktop and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file,” Microsoft clarified.
“However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied and your account number will be safe.”
The tech giant has now released fixes for the flaw in both screenshot tools. Users can implement the patches by updating to version 10.2008.3001.0 (Snip and Sketch) and version 11.2302.20.0 (Snipping Tool).
The updates come weeks after Microsoft fixed two zero day vulnerabilities in its Patch Tuesday update for March.