TrueCrypt audit reveals vulnerabilities but no backdoors

TrueCrypt, the popular open-source file and disk encryption application similar to BitLocker, is finally undergoing a security audit and the results of the first phase have revealed that the software does not contain any backdoors, but some vulnerabilities do exist in the Windows version.

Security research firm, iSec, has been assigned to audit the TrueCrypt software by the developer itself as the company is transitioning towards being a non-profit organization. In the first phase of the audit, iSec assessed version 7.1 a of TrueCrypt’s Windows version for security flaws. The security firm examined the Windows software and bootloader code. Although iSec did not find any backdoors or intentional flaws, it did find 11 vulnerabilities in the TrueCrypt code.

The vulnerabilities with their threat level are as follows:

  • Weak Volume Header key derivation algorithm (Medium)
  • Sensitive information might be paged out from kernel stacks (Medium)
  • Multiple issues in the bootloader decompressor (Medium)
  • Windows kernel driver uses memset() to clear sensitive data (Medium)
  • TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG kernel pointer disclosure (Low)
  • IOCTL_DISK_VERIFY integer overflow (Low)
  • TC_IOCTL_OPEN_TEST multiple issues (Low)
  • MainThreadProc() integer overflow (Low)
  • MountVolume() device check bypass (Informational)
  • GetWipePassCount() / WipeBuffer() can cause BSOD (Informational)
  • EncryptDataUnits() lacks error handling (Informational)

In addition to donations from IndieGoGo based backers, TrueCrypt has revealed through their website that it has received a donation from the Open Technology Fund which will help the company increase its efforts to analyze the software across all platforms over a period of 5-6 weeks.

Interested users can also follow the Twitter hashtag #IsTrueCryptAuditedYet for more results.

Source: IsTrueCryptAuditedYet.com via Ghacks | Image via Advance Pensa Cola

Previous Story
Original Halo music composer Marty O'Donnell fired by Bungie
Next Story
Samsung: Steve Jobs' death is 'our best opportunity to attack iPhone'