Serious security flaws have been discovered in TrueCrypt, placing users who insist on using the legacy encryption system at risk.
The system encryption service, axed last year after Microsoft terminated support for Windows XP, was canned without warning due to "unresolved security issues" in May 2014.
TrueCrypt is still available for download -- but is recommended only if you are migrating data on drives encrypted by TrueCrypt. Instead, PC users who wish to encrypt their hard drives and virtual disk images are asked to download the spin-off Veracrypt or use Microsoft's BitLocker instead.
The need to move on from Truecrypt is now more pressing thanks to the discovery of two severe security flaws in the program by James Forshaw, a member of Google's Project Zero security team.
The vulnerabilities, CVE-2015-7358 and CVE-2015-7359 are deemed critical and allow for local privilege escalation in Microsoft's Windows operating system through the abuse of drive letter handling and incorrect Impersonation Token Handling.
Attackers could leverage the flaws to hijack processes and grant themselves full administrator privileges, and with such keys to a system, havoc could ensue. Malware can be downloaded, surveillance can take place, a PC could be ruined from the root -- there is no end to what a hacker could accomplish.
While the bugs are not the backdoors rumored to be buried within TrueCrypt -- despite the fact an audit has revealed no security flaws -- Forshaw said in a set of tweets:
The flaws have been patched in Veracrypt version 1.15, which was released on 26 September. As development has ended for TrueCrypt, these flaws will not be resolved on the legacy platform. If you haven't already, you should switch to Veracrypt sooner rather than later.
Safari browser extensions you never knew you needed