Software will always have bugs. That also includes trusted programs that have had a professional security audit.
Case in point: it has emerged that a critical vulnerability exists in the Windows version of TrueCrypt, a widely-used hard-disk encryption program, despite researchers previously scrutinising the software.
“This shows that all software can have bugs, even highly trusted ones,” Runa Sandvik, a security researcher who was a technical advisor to an earlier TrueCrypt audit, told Motherboard in an email. “TrueCrypt was widely used, but popularity does not automatically equal good code.”
"It tells us that vulnerabilities are hard to find."
The critical vulnerability, tagged as CVE-2015-7358, was discovered by James Forshaw from Google's Project Zero, a team tasked with hunting out bugs in popular pieces of software. The problem allows the elevation of privileges on Windows, which might lead to an attacker being able to access other areas of the target computer.
However, Forshaw hasn't publicly released the full details of the vulnerabilities yet, instead writing on Twitter that he tends to wait “until 7 days or so after the release of the patch, just in case.”
Forshaw also discovered another vulnerability, CVE-2015-7359, but that was not labeled as critical. Both problems have been patched in Veracrypt, an open source version of TrueCrypt. It is unclear whether the vulnerabilities were added intentionally (such as a secret backdoor), or if they were genuine mishaps from the creators.
#VeraCrypt 1.15 is out. Fix #TrueCrypt vulnerabilities CVE-2015-7358 & CVE-2015-7359 reported by @tiraniddo. Details on release notes.
— VeraCrypt@IDRIX (@VeraCrypt_IDRIX) September 26, 2015
TrueCrypt was maintained by anonymous developers, and became the go-to solution for Windows users wishing to secure their local data. It allowed the full encryption of a hard-disk, the generation of individual encrypted partitions, and also came with a useful 'hidden volume' feature: if the user was under duress to reveal their encryption password, they could type in another, dummy pass phrase, and a selection of innocuous files would be revealed, instead of whatever sensitive information they were trying to keep secret.
In late 2013, Matthew Green, an assistant professor from Johns Hopkins University, announced a project to audit TrueCrypt, in order to make sure that the program was as secure as everyone hoped.
Then, in May 2014, the developers of TrueCrypt shut up shop, for reasons unknown, and instead recommended that people use Microsoft's Bitlocker, or another encryption program. In response, several open source alternatives sprang up.
Nevertheless, the audit continued, and was completed in April of this year. Although a few problems were discovered, nothing particularly nasty came to light; until now.
“This also shows that a single security audit may not necessarily find all the problems,” Sandvik added.
“It tells us that vulnerabilities are hard to find,” Green told Motherboard in a Twitter direct message.
Indeed, Forshaw said on Twitter that “Windows drivers are complex beasts.”
It doesn't affect the security of TrueCrypt encryption itself
But, for a silver-lining, “this is a pretty narrow bug in the sense that it doesn't affect the security of TrueCrypt encryption itself,” Green added. In other words, the vulnerability doesn’t affect the actual encryption being carried out by TrueCrypt. Instead, the bug poses a problem for the system it is being run on.
Nevertheless, those wishing to keep their data away from the prying eyes of laptop thieves or more targeted attacks should probably have switched from TrueCrypt long ago. When the creators stopped their project, they wrote that “using TrueCrypt is not secure as it may contain unfixed security issues.” That warning is still up today.