Latest in Encryption

Image credit:

TrueCrypt Windows encryption app has critical security flaws

Steve Dent, @stevetdent
September 30, 2015
Share
Tweet
Share

Sponsored Links

If you're still using TrueCrypt to protect your Windows disks, even though its developers abandoned it and said it was "not secure" last year, you may want to stop that. Google Project Zero researcher James Forshaw found two "privilege elevation" holes in the popular software that would give attackers full access to your data. Worse yet, TrueCrypt was audited earlier this by a crowdfunded team of iSec security researchers and found to be error-free. Google's James Forshaw said on Twitter that the miss was understandable, though: "iSec phase 1 audit reviewed this specific code but Windows drivers are complex beasts (and) easy to miss."

Forshaw hasn't disclosed the bugs yet, saying he usually waits seven days after a patch is released. He and other researchers agree that the vulnerabilities -- which can reportedly be exploited by "abusive drive letter handling" -- weren't deliberately installed. And they won't, of course, be fixed in the original program's code.

However, if you're using TrueCrypt because "free" is a good price, there are other options --VeraCrypt and CipherShed are open source forks of TrueCrypt, and VeraCrypt has already patched the bugs. Suffice to say, you should stop using TrueCrypt within the seven day window before Forshow releases the exploitable code. Even if you do, however, we likely haven't heard the end of this type of Windows vulnerability. VeraCrypt's Mounir Idrassi gold Threatpost that "These are the kind of vulnerabilities that exist in (lots of) software on Windows," and that will be (and have been) used by hackers for years.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Chevy will start selling EV retrofit kits in 2021

Chevy will start selling EV retrofit kits in 2021

View
Disney robot with human-like gaze is equal parts uncanny and horrifying

Disney robot with human-like gaze is equal parts uncanny and horrifying

View
$149 Playdate handheld is 'ready to go,' orders start in early 2021

$149 Playdate handheld is 'ready to go,' orders start in early 2021

View
Nest thermostats in the US and Canada can now monitor your HVAC system

Nest thermostats in the US and Canada can now monitor your HVAC system

View
Intel's Iris Xe Max dedicated graphics are now available in laptops

Intel's Iris Xe Max dedicated graphics are now available in laptops

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr