Encryption provider VeraCrypt released version 1.19 that fixes a series of holes found during an audit by the Open Source Technology Improvement Fund (OSTIF).
The month-long security audit analyzed VeraCrypt 1.18, a cross-platform software package that helps users encrypt their entire hard drives against unauthorized access.
After the TrueCrypt project shut down in 2014, VeraCrypt has become a solution for encrypting entire computers. This was one of the reasons why OSTIF audited VeraCrypt in early August following an influx of funds.
OSTIF hired French security firm QuarksLab to perform the audit.
A month after the security audit concluded, the VeraCrypt team published version 1.19, which fixed eight issues labeled as critical, three medium, and fifteen low-level vulnerabilities.
The team removed the ability to encrypt user data via the GOST 28147-89 algorithm, which they deemed insecure. The algorithm is in VeraCrypt 1.19, to support already encrypted computers, but users won’t be able to deploy it anymore.
The team replaced the older and insecure XZip and XUnzip libraries with the modern libzip library instead.
In addition, the VeraCrypt bootloader component also received updates, aimed to harden its code against external exploitation and data collection.
Security researchers also fixed an issue in the boot password mechanism that allowed an attacker to determine password length.
Not all the issues discovered in VeraCrypt could end up patched without breaking backward compatibility with the TrueCrypt project, so the team published a series of recommendations on VeraCrypt’s documentation page to mitigate possible attack vectors