TrueCrypt – The venerable full disk and container encryption software that was abandoned by its developers in 2014, was believed to be secure, despite the development of the software ending. This was the consensus among the security community because the software had been audited by iSec (a subsidiary of NCC). They had taken separate looks at the boot loader and the application code and not found any serious security flaws.
This strengthened the community’s trust in the software and people continued to use the software, confident that the software was largely bug-free.
Fast forward to today and James Forshaw from Google’s Project Zero has taken a look at the source code, and found two flaws that existed throughout the iSec audit. One is a critical EOP (escalation of privilege) bug that would allow an attacker to use the TrueCrypt application to get elevated access to a computer that has the software installed. While this would not give access to the containers on the Windows PC and the data would remain encrypted, it is only one additional step now to bypass that hurdle. You could, for example, install a keylogger on the machine and use that to get access to the passwords on the machine without the user’s knowledge, thus breaking the encryption of containers.
VeraCrypt has patched the flaws, and the current version is now safe from the EOP attack. Make sure you update VeraCrypt to the current version if you haven’t already. If you are still running TrueCrypt, now is the time to run for the hills as this flaw is a deal-breaker. Having the TrueCrypt software installed is a direct security risk on all Windows systems.
This chain of events highlights the need for support from organizations like ours and people like you. You need as many eyes on critical security software as possible. Our efforts to draw more skilled developers into reviewing the code, both through bounties and direct funding of audits, is a crucial step in keeping software as secure as possible.
You can read more about the new flaws here: CVE-2015-7358 and CVE-2015-7359 (full disclosure has not occurred yet, this will be updated with links after full disclosure)