If you're still using TrueCrypt, more security flaws mean it's time to move on
Security-minded computer users frequently turn to encryption to protect sensitive files. For those looking to go a step further, TrueCrypt offered full-disk encryption... at least it did until it was abandoned by its developers.
Since the software was dropped, researchers have discovered that it contains numerous security vulnerabilities, and two new flaws have been found that allow an attacker to gain elevated privileges. As part of Google's Project Zero, security researchers have been probing the encryption software -- which is still widely used -- for additional problems. The severity of the newly-discovered problems has led to renewed calls for remaining TrueCrypt users to seek an alternative.
The person who unearthed the vulnerabilities, James Forshaw, has not revealed full details of his findings, but there has clearly been communication with developers. Although TrueCrypt was ditched last year, a maintained fork called VeraCrypt lives on. The latest build of this program patches the vulnerabilities as detailed in the release notes:
Fix two TrueCrypt vulnerabilities reported by James Forshaw (Google Project Zero)
- CVE-2015-7358 (critical): Local Elevation of Privilege on Windows by abusing drive letter handling.
- CVE-2015-7359: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling.
Once the build has been available for a week, Forshaw has said that he will release more details about the vulnerabilities:
@v998n @VeraCrypt_IDRIX I don't tend to open up security bug reports until 7 days or so after the release of the patch, just in case :-)
— James Forshaw (@tiraniddo) September 27, 2015
If you are still relying on TrueCrypt, now is the time to move on. VeraCrypt has proved itself to be a solid fork with regular maintenance, and this latest revelation shows the importance of using the most recent versions of any security software.
Photo credit: Maksim Kabakou / Shutterstock