Yesterday's update of the encryption software VeraCrypt fixed two vulnerabilities that security researcher James Forshaw discovered in TrueCrypt's source code.
TrueCrypt, which has been abandoned by its developers, is still widely used. This can be attributed largely to convenience and that the software's security audit did not turn up major critical vulnerabilities in the program.
The audit did find some issues which the VeraCrypt developers fixed (mostly) in previous updates.
VeraCrypt, which is based on TrueCrypt code but still under active development, is one of several alternatives for TrueCrypt users who are looking for alternatives for the abandoned program.
The two vulnerabilities fixed in VeraCrypt 1.15 are:
Both appear to be local attacks meaning that attackers need to gain local access to the PC to exploit them. While that is the case, it is certain that TrueCrypt won't be updated to fix these issues in the software which in turn means that TrueCrypt remains vulnerable to attacks exploiting them.
This in turn means that TrueCrypt users need to decide whether it is time to move to another encryption software or keep using the vulnerable TrueCrypt.
VeraCrypt is one candidate for making the switch, especially since it can convert TrueCrypt containers and non-system partitions to the format it supports. The software can mount TrueCrypt volumes furthermore so that it is possible to switch to it without making any changes to the system provided that the system partition has not been encrypted using TrueCrypt.
The easiest way to deal with it is to decrypt it using TrueCrypt before you encrypt it again from within VeraCrypt.
Other feature additions in VeraCrypt 1.15 and 1.14 include support for a volume expander in the Traveler Disk Setup, a regression fix in mounting of favorite volumes at user login, and options to verify a created rescue disk ISO image file.
It seems to be time to abandon TrueCrypt for good as it is likely that additional vulnerabilities will be found in the software in the future.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.