VeraCrypt 1.15 fixes two recently reported TrueCrypt vulnerabilities
Yesterday's update of the encryption software VeraCrypt fixed two vulnerabilities that security researcher James Forshaw discovered in TrueCrypt's source code.
TrueCrypt, which has been abandoned by its developers, is still widely used. This can be attributed largely to convenience and that the software's security audit did not turn up major critical vulnerabilities in the program.
The audit did find some issues which the VeraCrypt developers fixed (mostly) in previous updates.
VeraCrypt, which is based on TrueCrypt code but still under active development, is one of several alternatives for TrueCrypt users who are looking for alternatives for the abandoned program.
The two vulnerabilities fixed in VeraCrypt 1.15 are:
- CVE-2015-7358 (critical): Local Elevation of Privilege on Windows by abusing drive letter handling.
- CVE-2015-7359: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling.
Both appear to be local attacks meaning that attackers need to gain local access to the PC to exploit them. While that is the case, it is certain that TrueCrypt won't be updated to fix these issues in the software which in turn means that TrueCrypt remains vulnerable to attacks exploiting them.
This in turn means that TrueCrypt users need to decide whether it is time to move to another encryption software or keep using the vulnerable TrueCrypt.
VeraCrypt is one candidate for making the switch, especially since it can convert TrueCrypt containers and non-system partitions to the format it supports. The software can mount TrueCrypt volumes furthermore so that it is possible to switch to it without making any changes to the system provided that the system partition has not been encrypted using TrueCrypt.
The easiest way to deal with it is to decrypt it using TrueCrypt before you encrypt it again from within VeraCrypt.
Other feature additions in VeraCrypt 1.15 and 1.14 include support for a volume expander in the Traveler Disk Setup, a regression fix in mounting of favorite volumes at user login, and options to verify a created rescue disk ISO image file.
It seems to be time to abandon TrueCrypt for good as it is likely that additional vulnerabilities will be found in the software in the future.
At least these are local vulnerabilities – privilege escalation to be specific. Honestly, I haven’t yet decided whether I should trust VeraCrypt over TrueCrypt’s last encryption-enabled release. It’s a tough call. Why was TrueCrypt really abandoned in the way it was? We may never know. We don’t really even know who it’s primary contributors were. Now VeraCrypt is here. Do we trust them, and it? If we trust by default, then they’ve given us no reason not to trust them. In contrast, if we are skeptical by default, they’ve not had enough time to earn our trust.
You just channeled my thoughts. I think the bottom line is the old quote from X-Files … ‘trust no one’. I use an embedded inner volume with plausible deniability, and a password that exists nowhere except in my head.That’s probably about as good as I can hope for.
I would be afraid to do that. Does it just convert the header or really the whole file?
Does it need the same amount of diskspace to copy it while converting?
I will download this right now.
It’s a clear night here! Whoo! I am going to see the Super Blood Moon Lunar Eclipse!
And what IF the true relationship between TrueCrypt and VeraCrypt was the reverse of what is officially mentioned?
What if the truth was that the TrueCrypt developers had been required to modify their code to allow TrueCrypt volumes to be deciphered and that, with their refusal, a campaign had been issued to discredit it with VeraCrypt glorified as the solution?
Nowadays nothing surprises me anymore. I’m neither cynical nor paranoid but we all know that when it comes to the ability to dig into one’s secrets all attitudes can be imagined. Imagined only. I’m sticking on TrueCrypt for the time being, motivated by doubt not by convictions.
Is VeraCrypt not open source?
Even if it is, and I am going to assume it is (may not be), as we saw with TrueCrypt, or countless other large open source projects — that doesn’t mean much unless someone pays to do a full audit of the code, and perhaps continually does such. The projects are too large and encryption itself too complex for a programmer to just look and say ‘Looks good!’. Open source being inherently secure because it’s ‘open’ is one of the great fallacies in the world.
And there’s no guarantee that the binary you download is compiled from the published source.
It appears Everything is no longer cataloging the veracrypt v1.15 container drives once mounted. Both on win7.32 and winxp.
Anyone else having this problem?