Two new security vulnerabilities affecting free encryption tool TrueCrypt may allow attackers to obtain admin-level privileges and install malware on the machine, security researchers say.
Two vulnerabilities (CVE-2015-7358 and CVE-2015-7359) in the driver that TrueCrypt installs on Windows systems have recently been discovered by James Forshaw, a member of Google’s Project Zero team. Exploiting them could allow attackers to obtain elevated privileges if they had access to a user account.
TrueCrypt authors stopped developing the encryption tool last year, because of “unresolved security issues”. However, a security audit of TrueCrypt’s source code and its cryptography implementations revealed no backdoors or security holes.
Forshaw said serious bugs can still remain undiscovered after a security audit.
The Google researcher did not disclose details about the two bugs, saying that he usually waits seven days after a patch is released, before opening his bug reports.
The critical bugs have been patched in the new app VeraCrypt, an open-source program based on the TrueCrypt code that aims to continue and improve the original project.