Acropalypse Bug Also Affects Windows Tools, Microsoft Testing Fix
I’m sure similar issues will now be found with lots of image, video and audio editing tools and applications. This bug points out there really is a developer mindset (“I can easily just move the IEND chunk to crop this data file” without thinking “and I need to delete the cropped data, too”) vs. a good tester methodology of “I wonder if I can still find any of the ‘cropped’ data.” This is why we see so much success from managed bug bounty programs even after 20 years of secure development life cycles and developer training.
Practitioner's note: To demonstrate this in Windows, hit <Win><Shift>s to snag part of the screen. In the Snipping Tool itself, save that screen grab, and look at the size of the file. Now, in the Snipping Tool, use the Crop tool to cut off the bottom half of the image. Save it again with the same file name. The file size has not changed! Much of the original data is still present in the cropped file. You can mitigate this specific case by saving the cropped image with a new name (or wait for a patch).
Redaction has to be done right. Tools like the snipping tool, or your photo editor on your smartphone make it easier, but aren't necessarily comprehensive. Recall when it was learned a popular PDF editor used layers for redaction, but if you selected the text or exported the text, the redacted information was available? This time it's about understanding what meta-data is in an image. As the researcher noted, a small, redacted, thumbnail sized image was still 5MB. While we have been advising co-workers to make a new image or document which contains the resulting image, you're probably going to have to show them what meta data remains on a redacted photo (such as the full photo in the embedded thumbnail), to make it real.
applications take advantage of open-source libraries. A flaw in one or more of those libraries can lead to a vulnerable application. A SBOM will at least list the software libraries used by the application, helping to identify and close cross-platform vulnerabilities.