For several years, TrueCrypt was the gold standard in PC disk decryption suites. That changed nearly 18 months ago, when the individuals who developed the software abruptly quit. The developers declared that the existing software was ““not secure as it may contain unfixed security issues,” provided a final version of the software to decrypt data, and shut the project down. This was all the more puzzling when two extensive security audits found no bugs of significance. As of today, that’s changed.

Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user’s machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could’ve been sufficient to allow an attacker to capture the drive’s encryption key, depending on how good the end-users security practices were.
These bugs have been patched in the fork of TrueCrypt, VeraCrypt, which patched both of them on September 26. Note that the current links to descriptions of each bug are 403’d, Forshaw typically waits a week to upload descriptions.
We’ll never know why TrueCrypt’s authors left the project. Clearly these bugs, while significant, can still be fixed without compromising the system. Equally clearly, VeraCrypt was able to solve them in short order, once Forshaw drew attention to them. What we do know, however, is that there’s now very good reason to move away from using TrueCrypt and towards one of the actively maintained forks or alternate solutions. TrueCrypt itself has now proven flawed enough to no longer be trustworthy.