Microsoft has released an update addressing a screenshot-snipping vulnerability in Windows 10 and 11 that could let malicious actors recover edited parts of screenshots to view sensitive information.

Dubbed the “aCropalypse”, Microsoft says the security flaw — tracked as CVE-2023-28303 — relates to both the Snip & Sketch app in Windows 10 and the Snipping Tool in Windows 11.

“The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control,” Microsoft said.

However, the tech giant noted that the vulnerability only applies to images created in a specific way, including those saved, edited, and then saved over the original file and those opened in the Snipping Tool, edited, and then saved in the same location.

Microsoft specified that screenshots modified before saving, and those copied and pasted were unaffected by the security flaw.

Windows users can update the affected apps by going to the Microsoft Store, selecting Library, and clicking Get Updates.

Those with automatic updates enabled should see their Snipping Tool set to version 10.2008.3001.0 or their Snip & Sketch tool version set to 11.2302.20.0.

Software developer Chris Blume discovered the vulnerability — which could allow bad actors to potentially recover and view cropped PNG data — on Tuesday, 21 March 2023.

Cybersecurity researcher David Buchanan confirmed that extraction of the cropped data is achievable using a modified version of a script used to demonstrate a similar vulnerability within the Android operating system.

“Windows Snipping Tool is vulnerable to aCropalypse too. An entirely unrelated codebase,” Buchanan said.

“The same exploit script works with minor changes (the pixel format is RGBA not RGB). Tested myself on Windows 11.”

Buchanan and programmer Simon Aarons had previously discovered the “aCropalypse” vulnerability in the screenshot editing tool on Google Pixel phones.