1. Forum
  2. Usenet
  3. ALT.COMP.OS.WINDOWS-10

  • Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screensh

    From NewsKrawler@21:1/5 to All on Mon Mar 27 14:57:03 2023
    https://thehackernews.com/2023/03/microsoft-issues-patch-for-acropalypse.html Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot
    Tools

    Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.

    The issue, dubbed aCropalypse, could enable malicious actors to recover
    edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.

    Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS
    scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11.

    "The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an
    attacker's control," Microsoft said in an advisory released on March 24,
    2023.

    Successful exploitation requires that the following two prerequisites are
    met.
    The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
    The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.
    However, it does not impact scenarios where an image is copied from the Snipping Tool or modified before saving it.

    "If you take a screenshot of your bank statement, save it to your desktop,
    and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format
    that could be recovered by someone who has access to the complete image
    file," Microsoft explains.


    "However, if you copy the cropped image from Snipping Tool and paste it
    into an email or a document, the hidden data will not be copied, and your account number will be safe."

    The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip
    and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping
    Tool installed on Windows 11.

    aCropalypse first came to light on March 18, 2022, when it was found that a
    bug in Google Pixel's Markup tool made it possible to retroactively reverse
    the changes introduced to screenshots, thereby recovering personal
    information from redacted screenshots and images, including those that have been cropped or had their contents masked.

    Credited with discovering the problem are reverse engineers Simon Aarons
    and David Buchanan.

    The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was
    reported to Google on January 2, 2023, and was fixed via an update released
    on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

    The shortcoming has existed since the release of the Markup utility with Android 9 Pie in 2018, and images already shared over the past five years
    are vulnerable to the Acropalypse attack, raising possible privacy
    concerns.

    "You can patch it, but you can't easily un-share all the vulnerable images
    you may have sent," Buchanan said in a tweet, describing it as a "bad one."

    A similar issue with reversible cropping was recently disclosed in Google
    Docs as well, allowing users with view-only access to recover original
    versions of cropped images in shared documents without having the edit permissions to do so.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)