VeraCrypt 1.0f-2 update fixes TrueCrypt audit vulnerability

0
73

VeraCrypt is a TrueCrypt fork that came to life after the original TrueCrypt project was abandoned by its developers.

It is not the only fork of TrueCrypt — Ciphershed is another — but one that receives regular updates.

The most recent update of VeraCrypt, released just two days ago, addresses one of the vulnerabilities reported by the second part of the Open Crypto Audit report.

The same happened after the first part of the report was released last year as most issues listed in it were fixed by an update released shortly thereafter.

VeraCrypt 1.0f-2 patches the CryptAcquireContext vulnerability in TrueCrypt’s source code which is probably the most severe of the four vulnerabilities reported by TrueCrypt’s auditors.

While the three remaining vulnerabilities have not been fixed, they are only threats under certain conditions, for instance when an attacker has local access to the computer.

Idrix, the company behind VeraCrypt, plans to improve VeryCrypt in regards to keyfile mixing and cache-timing attacks. The former has been on the project’s issue tracker for two weeks and will be addressed in time.

Cache-timing attacks will be addressed in the future as well:

Cache-timing attacks are realistic on multi-user server environment where a malicious user can recover sensitive keys from the CPU. This type of shared environment is clearly not recommended for TrueCrypt/VeraCrypt because of other security risks so this is not a realistic scenario in our context.

Anyway, since this applies to all cryptographic libraries, we should seek external help/advice from other open source projects to look for available general purpose implementations that brings some level of protection without loosing too much performance.

Additional issues reported by the static code analysis tool Coverity were fixed in this version of VeraCrypt as well.

Functionality changes have found their way into VeraCrypt 1.0f-2.

VeraCrypt up until now supported the mounting of regular TrueCrypt volumes but not system partitions.

This changes with this release, at least on Windows, as it is now possible to mount TrueCrypt system partitions using the program.

veracrypt

This ensures full compatibility with all supported volume types on Windows, something that may have prevented some TrueCrypt users from switching to VeraCrypt.

The most recent version of VeraCrypt ships with additional improvements and fixes. The volume mounting speed for instance has been improved by up to 20% on 64-bit operating systems.

On Windows, VeryCryptExpander, a free tool to expand VeraCrypt volumes on the fly, has been added to the setup. You find it listed in the start menu and VeraCrypt program folder.