Forshaw hasn't disclosed the bugs yet, saying he usually waits seven days after a patch is released. He and other researchers agree that the vulnerabilities -- which can reportedly be exploited by "abusive drive letter handling" -- weren't deliberately installed. And they won't, of course, be fixed in the original program's code.

@v998n @VeraCrypt_IDRIX I don't tend to open up security bug reports until 7 days or so after the release of the patch, just in case :-) — James Forshaw (@tiraniddo) September 27, 2015

However, if you're using TrueCrypt because "free" is a good price, there are other options --VeraCrypt and CipherShed are open source forks of TrueCrypt, and VeraCrypt has already patched the bugs. Suffice to say, you should stop using TrueCrypt within the seven day window before Forshow releases the exploitable code. Even if you do, however, we likely haven't heard the end of this type of Windows vulnerability. VeraCrypt's Mounir Idrassi gold Threatpost that "These are the kind of vulnerabilities that exist in (lots of) software on Windows," and that will be (and have been) used by hackers for years.