Microsoft pushes out an emergency fix for the dangerous ‘acropalypse’ bug
Microsoft has acted swiftly to patch up the worrying ‘acropalypse’ bug that we reported on earlier this week – a bug that could enable information cropped out of images by the Windows screenshot tools to be recovered.
As per BleepingComputer, Microsoft has now issued an OOB (out-of-band or emergency) update that fixes the issue, which has the technical designation of CVE-2023-28303. Microsoft is recommending that users apply the update at their earliest opportunity, as you might expect.
Applying the update isn’t difficult at all: from the Microsoft Store, click the Library icon on the left, then pick Get updates (top right). This should force the patch to be applied, if it hasn’t already been automatically installed.
Carry on cropping
The bug – which is similar to one that has affected the Markup feature on Google Pixel phones – means that images and screenshots cropped in the Windows 11 Snipping Tool and the Windows 10 Snip and Sketch tool could be compromised.
Essentially, the CVE-2023-28303 vulnerability means that parts of a PNG or JPEG image that have been cropped out aren’t properly removed from the file after it’s saved again. Those cropped sections could include sensitive information such as bank account details or medical records, for example.
It’s important to note that applying the patch won’t fix any files that have already been cropped, only ones that are edited in the future. You’ll need to recrop any existing images to be sure the excess parts of the picture have been properly removed.
Analysis: a quick fix for a worrying bug
At first, the opportunity of recovering cropped out parts of images may not seem like a particularly terrible security vulnerability – after all, who cares if someone manages to add back in some empty sky that you’ve removed from one of your vacation photos?
There are lots of reasons that images are cropped though, as tech journalists know all too well. Personal information such as email addresses, bank account numbers and contact names need to be cut out of pictures before they’re shared widely on the internet.
With so many of us sharing so many of our photos with other people and on the web at large, it’s crucial from a security perspective that these images don’t reveal more than we want them too – something which was a problem with CVE-2023-28303.
Microsoft has at least acted quickly to get the fix tested and then applied – but it’s a concern that this same bug has appeared completely separately in software from both Microsoft and Google in recent days.