Microsoft fixes reversible screenshot vulnerability on Windows

Microsoft has released an update to fix a screenshot editing vulnerability in Windows 10 and 11, as previously spotted by A glowing computer. The security flaw, dubbed “aCropalypse,” could allow bad actors to recover edited portions of screenshots, potentially revealing personal information that was cut or hidden.

According to Microsoft, the issue (CVE-2023-28303) affects both the Snip & Sketch app in Windows 10 and the Snipping Tool in Windows 11. However, it only affects images created in a very specific set of steps. This includes those that have been taken, saved, edited and then saved over the original file as well those opened in the crop tool, edited and then saved in the same location. This has no effect on modified screenshots before saving them and also doesn’t affect screenshots that have been copied and pasted into, say, the body of an email or document.

Microsoft first learned of the problem earlier this week. Then Chris Blum, the chair of the PNG image format working group, brought it to the attention of David Buchanan and Simon Ahrens—the same security researchers who discovered the aCropalypse vulnerability affecting the Google Pixel tagging tool. Similarly, it allows hackers to undo changes made to screenshots, making it possible to reveal the personal information in an image that someone thought they were hiding, whether by cropping or scribbling on it.

You can download the latest updates for the affected Windows apps by heading to the Microsoft Store and clicking Libraryand then selecting Get updates. If you have automatic updates enabled, you should notice that the cut tool should be set to version 10.2008.3001.0, while the cut and sketch tool will be version 11.2302.20.0. Just like the patch issued by Google, Microsoft’s change will not update edited screenshots that have already been posted online, but it could potentially leave thousands of screenshots on the web for bad actors to exploit.