VeraCrypt 1.15 fixes two recently reported TrueCrypt vulnerabilities - gHacks Tech News

VeraCrypt 1.15 fixes two recently reported TrueCrypt vulnerabilities

Yesterday's update of the encryption software VeraCyrpt fixed two vulnerabilities that security researcher James Forshaw discovered in TrueCrypt's source code.

TrueCrypt, which has been abandoned by its developers, is still widely used. This can be attributed largely to convenience and that the software's security audit did not turn up major critical vulnerabilities in the program.

The audit did find some issues which the VeraCrypt developers fixed (mostly) in previous updates.

VeraCrypt, which is based on TrueCrypt code but still under active development, is one of several alternatives for TrueCrypt users who are looking for alternatives for the abandoned program.

The two vulnerabilities fixed in VeraCrypt 1.15 are:

  • CVE-2015-7358 (critical): Local Elevation of Privilege on Windows by abusing drive letter handling.
  • CVE-2015-7359: Local Elevation of Privilege on Windows caused by incorrect Impersonation Token Handling.

Both appear to be local attacks meaning that attackers need to gain local access to the PC to exploit them. While that is the case, it is certain that TrueCrypt won't be updated to fix these issues in the software which in turn means that TrueCrypt remains vulnerable to attacks exploiting them.

veracrypt 1.15

This in turn means that TrueCrypt users need to decide whether it is time to move to another encryption software or keep using the vulnerable TrueCrypt.

VeraCrypt is one candidate for making the switch, especially since it can convert TrueCrypt containers and non-system partitions to the format it supports. The software can mount TrueCrypt volumes furthermore so that it is possible to switch to it without making any changes to the system provided that the system partition has not been encrypted using TrueCrypt.

The easiest way to deal with it is to decrypt it using TrueCrypt before you encrypt it again from within VeraCrypt.

Other feature additions in VeraCrypt 1.15 and 1.14 include support for a volume expander in the Traveler Disk Setup, a regression fix in mounting of favorite volumes at user login, and options to verify a created rescue disk ISO image file.

It seems to be time to abandon TrueCrypt for good as it is likely that additional vulnerabilities will be found in the software in the future.

Summary
VeraCrypt 1.15 fixes two recently reported TrueCrypt vulnerabilities
Article Name
VeraCrypt 1.15 fixes two recently reported TrueCrypt vulnerabilities
Description
The most recent VeraCrypt update to version 1.15 fixes two recently discovered vulnerabilities in the encryption software TrueCrypt.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Jeremy Collake said on September 27, 2015 at 9:51 pm
      Reply

      At least these are local vulnerabilities – privilege escalation to be specific. Honestly, I haven’t yet decided whether I should trust VeraCrypt over TrueCrypt’s last encryption-enabled release. It’s a tough call. Why was TrueCrypt really abandoned in the way it was? We may never know. We don’t really even know who it’s primary contributors were. Now VeraCrypt is here. Do we trust them, and it? If we trust by default, then they’ve given us no reason not to trust them. In contrast, if we are skeptical by default, they’ve not had enough time to earn our trust.

      1. Jeff said on September 27, 2015 at 10:26 pm
        Reply

        You just channeled my thoughts. I think the bottom line is the old quote from X-Files … ‘trust no one’. I use an embedded inner volume with plausible deniability, and a password that exists nowhere except in my head.That’s probably about as good as I can hope for.

    2. Ben said on September 27, 2015 at 10:17 pm
      Reply

      Convert?
      I would be afraid to do that. Does it just convert the header or really the whole file?
      Does it need the same amount of diskspace to copy it while converting?

    3. XenoSilvano said on September 27, 2015 at 11:29 pm
      Reply

      I will download this right now.

      It’s a clear night here! Whoo! I am going to see the Super Blood Moon Lunar Eclipse!

    4. Tom Hawack said on September 28, 2015 at 9:51 am
      Reply

      And what IF the true relationship between TrueCrypt and VeraCrypt was the reverse of what is officially mentioned?
      What if the truth was that the TrueCrypt developers had been required to modify their code to allow TrueCrypt volumes to be deciphered and that, with their refusal, a campaign had been issued to discredit it with VeraCrypt glorified as the solution?
      Nowadays nothing surprises me anymore. I’m neither cynical nor paranoid but we all know that when it comes to the ability to dig into one’s secrets all attitudes can be imagined. Imagined only. I’m sticking on TrueCrypt for the time being, motivated by doubt not by convictions.

      1. Dave said on September 28, 2015 at 10:27 am
        Reply

        Brilliant reply

      2. DonGateley said on September 28, 2015 at 9:44 pm
        Reply

        Is VeraCrypt not open source?

        1. Jeremy Collake said on September 28, 2015 at 11:33 pm
          Reply

          Even if it is, and I am going to assume it is (may not be), as we saw with TrueCrypt, or countless other large open source projects — that doesn’t mean much unless someone pays to do a full audit of the code, and perhaps continually does such. The projects are too large and encryption itself too complex for a programmer to just look and say ‘Looks good!’. Open source being inherently secure because it’s ‘open’ is one of the great fallacies in the world.

        2. Dave said on September 29, 2015 at 11:42 am
          Reply

          And there’s no guarantee that the binary you download is compiled from the published source.

    5. A.J. said on September 28, 2015 at 4:40 pm
      Reply

      It appears Everything is no longer cataloging the veracrypt v1.15 container drives once mounted. Both on win7.32 and winxp.
      Anyone else having this problem?

    Leave a Reply