Google Project Zero hacker James Forshaw has found a pair of privilege-elevation holes in the once-popular TrueCrypt encryption package.
The bugs have been patched in spinoff app Veracrypt, so if you want to stay secure, you may want to shift over to that package.
The flaws are not the fabled backdoors feared lurking in the TrueCrypt code, but can be exploited to compromise the machine, install spyware, record password keystrokes, and so on.
TrueCrypt development was axed last year after its mysterious authors claimed the disk-encryption utility had unresolved security issues.
A comprehensive audit of its source code ensued in which crypto bods from NCC Group reported finding no backdoors or serious holes.
Forshaw says his work demonstrates that an audit is no guarantee TrueCrypt is clean.
"Even though my Truecrypt bugs weren't backdoors, it's clear that it was possible to sneak them past an audit," Foreshaw noted.
Attackers with access to your PC or server can exploit the vulnerabilities to gain administrator-level privileges even if the encrypted volumes are not mounted.
The bugs (CVE-2015-7358, CVE-2015-7359) are rated critical, and fixed in VeraCrypt.
It relates to abuse of drive letter handling and incorrect impersonation token handling. People wanting to ditch source-is-available TrueCrypt can consider alternatives like Veracrypt or CipherShed. ®