Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newly Found TrueCrypt Flaw Allows Full System Compromise

Posted by timothy on from the so-maybe-move-on dept.

itwbennett writes: James Forshaw, a member of Google's Project Zero team has found a pair of flaws in the discontinued encryption utility TrueCrypt that could allow attackers to obtain elevated privileges on a system if they have access to a limited user account. 'It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered,' writes Lucian Constantin.

4 of 106 comments (clear)

  1. Re:Clarification? by Zardus · · Score: 4, Insightful

    While that might be true in a true microkernel (https://en.wikipedia.org/wiki/Microkernel) design, modern OSes are all at least partially monolithic (https://en.wikipedia.org/wiki/Monolithic_kernel) to avoid the performance penalty of inter-process communications between kernel components. Because of this, drivers tend to run with the same privileges as the kernel. Not sure if that's the case here (TrueCrypt does have a driver, but I didn't RTA to see if that's where the vuln is), but a security vuln in a driver would definitely bypass whatever protections the OS offered.

    --
    You can mod your friends, you can mod your nose, but you can't mod your friend's nose.
  2. Important Details by Anonymous Coward · · Score: 5, Insightful

    This is not a compromise of the TrueCrypt encryption!

    This is a bug in the TrueCrypt driver that is installed on Windows systems. The bug allows an account on an already running and "decrypted" system to achieve elevated credentials. This would not be very much different than a printer driver bug.

    The fact that this is not an actual compromise of TrueCrypt and its encryption, is likely why it was not found in the audit. It is not a vulnerability that they weer worried about and did not look for anything like it.

    TrueCrypt encrypted volumes remain no more or less vulnerable because of this. But, you still should not be using TrueCrypt.

  3. despite professional code audits by TsuruchiBrian · · Score: 5, Insightful

    despite professional code audits, serious bugs can remain undiscovered

    Doesn't google finding this bug count as on more professional code audit successfully discovering a bug?

    When a scientist discovers a new theory do we lament the fact that we've proven that we didn't know everything beforehand?

    Did anyone really think that we could possibly ever have a large piece of software with no bugs?

  4. Re:Clarification? by mlw4428 · · Score: 4, Insightful

    Wasn't it just in January when the Linux GHOST bug was found? If memory serves it impacted something like 15 or so years worth of Linux versions and allowed code execution. I think the better stance to take is that regardless of how open or closed the source code is, complex systems should never be considered secure. As seen by other flaws in open source systems (Heartbleed anyone?) the number of "eyes" checking the code doesn't really matter. The fact is that both closed source and open source software faults in that they don't get enough security auditing done. That's because it's insanely time consuming. The biggest difference between open sourced and closed source software is that generally closed source companies have more resources than open source source groups and thus should be expected to do security auditing once their software reaches a certain adoption rate.