Two new TrueCrypt Privilige Elevation holes found

News by Max Metzger

Google's Project Zero security analysts has discovered two privilege-elevation holes in the once-popular TrueCrypt Protection Package.

James Foreshaw of Project Zero, Google's team of analysts employed to find Zero day exploits, found the privilege elevation holes earlier this week.

A privilege elevation hole is one which attackers might exploit to gain better access to resources within the targeted software than the system administrator or creator intended. The ‘Jailbreaking' of devices like iPhones is just such an attack.

This should come as little surprise to users of TrueCrypt, a disk encryption utility, the development of which was axed in May last year when an ominous message of warning appeared on the homepage, stating that “using TrueCrypt is not secure as it may contain unfixed security issues”.

The software has been audited and found no backdoors but Forshaw later stated on Twitter that “even though my TrueCrypt bugs weren't backdoors, it's clear that it was possible to sneak them past an audit”.

The two bugs have been patched in VeraCrypt, a spin-off app. The Register reports that “if you want to stay secure, you may want to shift over to that package".

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews