Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"When in doubt, print 'em out." -- Karl's Programming Proverb 0x7


computers / comp.mobile.android / Pixel cropping flaw fixed on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices

SubjectAuthor
o Pixel cropping flaw fixed on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro deviceNewsKrawler

1
Pixel cropping flaw fixed on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices

<tvsb2g$ctgh$1@paganini.bofh.team>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=38924&group=comp.mobile.android#38924

 copy link   Newsgroups: comp.mobile.android
Path: i2pn2.org!i2pn.org!paganini.bofh.team!not-for-mail
From: newskr...@krawl.org (NewsKrawler)
Newsgroups: comp.mobile.android
Subject: Pixel cropping flaw fixed on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices
Date: Mon, 27 Mar 2023 15:00:33 -0000 (UTC)
Organization: To protect and to server
Message-ID: <tvsb2g$ctgh$1@paganini.bofh.team>
Injection-Date: Mon, 27 Mar 2023 15:00:33 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="423441"; posting-host="nDb7tZ7UQVYri04syWnKjQ.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
Cancel-Lock: sha256:H91/7e+wiLcqLYRV+thp0Mafh2YGpuPLRxIr2ncIwXY=
X-Notice: Filtered by postfilter v. 0.9.3
 by: NewsKrawler - Mon, 27 Mar 2023 15:00 UTC

The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was
reported to Google on January 2, 2023, and was fixed via an update
released on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

https://thehackernews.com/2023/03/microsoft-issues-patch-for-acropalypse.html
Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools

Microsoft has released an out-of-band update to address a privacy-defeating
flaw in its screenshot editing tool for Windows 10 and Windows 11.

The issue, dubbed aCropalypse, could enable malicious actors to recover
edited portions of screenshots, potentially revealing sensitive information
that may have been cropped out.

Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS
scoring system. It affects both the Snip & Sketch app on Windows 10 and the
Snipping Tool on Windows 11.

"The severity of this vulnerability is Low because successful exploitation
requires uncommon user interaction and several factors outside of an
attacker's control," Microsoft said in an advisory released on March 24,
2023.

Successful exploitation requires that the following two prerequisites are
met.
The user must take a screenshot, save it to a file, modify the file (for
example, crop it), and then save the modified file to the same location.
The user must open an image in Snipping Tool, modify the file (for example,
crop it), and then save the modified file to the same location.
However, it does not impact scenarios where an image is copied from the
Snipping Tool or modified before saving it.

"If you take a screenshot of your bank statement, save it to your desktop,
and crop out your account number before saving it to the same location, the
cropped image could still contain your account number in a hidden format
that could be recovered by someone who has access to the complete image
file," Microsoft explains.

"However, if you copy the cropped image from Snipping Tool and paste it
into an email or a document, the hidden data will not be copied, and your
account number will be safe."

The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip
and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping
Tool installed on Windows 11.

aCropalypse first came to light on March 18, 2022, when it was found that a
bug in Google Pixel's Markup tool made it possible to retroactively reverse
the changes introduced to screenshots, thereby recovering personal
information from redacted screenshots and images, including those that have
been cropped or had their contents masked.

Credited with discovering the problem are reverse engineers Simon Aarons
and David Buchanan.

The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was
reported to Google on January 2, 2023, and was fixed via an update released
on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

The shortcoming has existed since the release of the Markup utility with
Android 9 Pie in 2018, and images already shared over the past five years
are vulnerable to the Acropalypse attack, raising possible privacy
concerns.

"You can patch it, but you can't easily un-share all the vulnerable images
you may have sent," Buchanan said in a tweet, describing it as a "bad one."

A similar issue with reversible cropping was recently disclosed in Google
Docs as well, allowing users with view-only access to recover original
versions of cropped images in shared documents without having the edit
permissions to do so.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor