Closed GoogleCodeExporter closed 9 years ago
Fixed in Veracrypt 1.15, see
https://veracrypt.codeplex.com/wikipage?title=Release%20Notes
Original comment by fors...@google.com
on 26 Sep 2015 at 9:51
A quick note on exploitability from sandboxes. The Veracrypt device object (and
by extension Truecrypt's) is accessible from a typical low integrity sandbox
such as IE PM. It's also available from the normal Adobe Reader and Chrome GPU
sandboxes. However it can't be accessed from IE EPM, Edge or Chrome Renderer
sandboxes.
The situation is made slightly worse because the IOCTLs are not restricted to
requiring write access, so even if the device object was restricted to read
access (through integrity level for example) it wouldn't block the exploit.
Although in this situation pretty much any place you can access the device node
for read you can also access for write.
Original comment by fors...@google.com
on 28 Sep 2015 at 9:53
Remove view restrictions
Original comment by fors...@google.com
on 3 Oct 2015 at 4:50
Original comment by fors...@google.com
on 3 Oct 2015 at 4:51
In the future it would be nice to contact us (security@ciphershed.org). We had
to find out from third parties.
Original comment by jasonpye...@gmail.com
on 7 Oct 2015 at 10:17
Original issue reported on code.google.com by
fors...@google.com
on 18 Sep 2015 at 9:35Attachments: