Google researcher to publish critical flaw in TrueCrypt soon
A Google researcher will soon publish a critical flaw in TrueCrypt. This allows attackers to create an exploit, which allows attackers to gain administrator rights on the PC. There will be no patch for the encryption program.
The researcher says on Twitter that he will wait seven days after a developer releases a patch to release details, in order to reduce the chance of an exploit of the vulnerability. Since fork VeraCrypt released the patch last Saturday, it will likely put the details online next weekend. TrueCrypt users cannot protect themselves from an exploit of the vulnerability because the developers stopped updating TrueCrypt some time ago.
The critical flaw is associated with another less critical flaw in the driver that TrueCrypt and VeraCrypt install on Windows machines, ITWorld reports. The vulnerability could allow an attacker to gain more administrative privileges on an account that does not have it itself. The leak uses the assignment of letters to disks.
It appears that the leak has nothing to do with already encrypted disks. However, it is possible with admin rights to install other software that ensures that new data is no longer encrypted.
TrueCrypt will no longer be updated. The developers, who are still anonymous, warned a year and a half ago not to use the software anymore and announced they would stop using the program, which allows users to encrypt parts of the hard drive on Windows PCs. Since then, there have been several audits to look for possible back doors in the software, but these have yielded nothing.
VeraCrypt is the unofficial successor to TrueCrypt and has since closed the leak. The developers of that program regularly release updates with fixes. The leaks the Google researcher found will appear online as CVE-2015-7358 and CVE-2015-7359.