Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newly Found TrueCrypt Flaw Allows Full System Compromise

Posted by timothy on from the so-maybe-move-on dept.

itwbennett writes: James Forshaw, a member of Google's Project Zero team has found a pair of flaws in the discontinued encryption utility TrueCrypt that could allow attackers to obtain elevated privileges on a system if they have access to a limited user account. 'It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered,' writes Lucian Constantin.

3 of 106 comments (clear)

  1. Veracrypt by Anonymous Coward · · Score: 5, Informative

    VeraCrypt 1.15 that was released Saturday, contains patches for the two vulnerabilities

    Time to update.

  2. Re:Clarification? by mlw4428 · · Score: 5, Informative

    It's in the driver which operates at an elevated permission level. If there's a bug in the driver code which allows code execution (buffer overflow comes to mind) that code would be running with elevated privileges. Windows can't necessarily account for all potential flaws in software. Nor can any Kernel.

  3. In case anyone is wondering by Anonymous Coward · · Score: 5, Informative

    The VeraCrypt commits fixing the 2 "undisclosed" vulnerabilities:
    https://github.com/veracrypt/V...
    https://github.com/veracrypt/V...