Microsoft has swiftly deployed emergency fixes for a security flaw in Windows 11 that affected the Snipping Tool (and the Snip & Sketch app in Windows 10, too).
Those screenshot-grabbing and editing utilities were blighted by an issue whereby cropped data in PNG image files wasn't being properly overwritten, playfully named the "acropalypse" bug.
In other words, when users crop a file, the part of the picture discarded could potentially be recovered and scrutinized by someone exploiting the flaw.
That may not sound like all that big a deal on the face of it, but if the cropped part of the image consists of sensitive details, there's a possibility the vulnerability could be leveraged to see that data.
As Microsoft puts it: "When an existing image is partially overwritten, an attacker may be able to recover parts of the original image through the use of a special tool."
Note that only some PNG files are affected, but clearly enough, this is still a worrying state of affairs. Notably, the PNG has to be cropped and saved to the same location on your drive to be vulnerable. In other cases, such as copying a cropped image from the Snipping Tool and pasting it into an email, the hidden data isn't copied across, and therefore can't be subsequently accessed.
At any rate, Microsoft has now produced the remedy, thankfully, in the form of updates for the respective apps.
To grab these patches - and you should do this immediately- we'd suggest - head to the Microsoft Store to update either the Snipping Tool or Snip & Sketch. (You should be running version 11.2302.20.0 or better for the former, and version 10.2008.3001.0 or newer for the latter).
Of course, the bug is only fixed for PNG files created going forward. If you've already made and cropped a PNG in recent times, then the flaw will still be present, and that image could still potentially be vulnerable to attack - providing you've shared it online, away from your PC. There's not much Microsoft can do about existing files that might carry the bug for obvious reasons.
You may recall that Android users were also troubled by this "acropalypse" bug, and Google had to patch its Markup Tool to defend against it on Pixel devices earlier this month.
Microsoft rated the vulnerability with a severity of 'low' due to there being several factors beyond the attacker's control regarding whether or not any given PNG can have its cropped contents peeked at, and also that exploitation requires "uncommon user interaction."
However, Microsoft is rather playing things down here, it would seem. Security experts spoke to BleepingComputer and indicated the number of public images hit by the security flaw might be 'high', and VirusTotal is showing over 4,000 images affected by the bug.