The TPM (Trusted Platform Module) is designed to protect your device from hackers. As a result, Microsoft has made it mandatory to have a TPM 2.0 module to run the latest version of Windows 11. Although the TPM chip is intended to secure your computer, it still has flaws, and there is always a risk of security compromise.

Microsoft’s Windows 11 requires TPM for security features such as Device Encryption, Windows Defender System Guard (DRTM), Measured Boot, and Device Health Attestation. While TPM enhances protection and is effective at keeping sensitive information secure and encrypting data, other operating systems like Linux also support TPMs. Still, they do not have a strict requirement for using the OS.

According to a report published by Bleeping Computer, two newly-discovered vulnerabilities in TPM 2.0 allow hackers to execute malicious code that gives them access to data from billions of users and escalated privileges on your device. This also enables attackers to access or overwrite sensitive data. As a result of this flaw, hackers can steal cryptographic keys and other sensitive information.

It is recommended to only give access to your device to trusted users and to use signed applications from reputable vendors. Additionally, you should update your laptop as soon as updates become available for your device. All users running Windows 10 or Windows 11 with TPM 2.0 can safely assume they are being impacted.

  • TPM 2.0 v1.59 Errata version 1.4 or higher
  •  TPM 2.0 v1.38 Errata version 1.13 or higher
  •  TPM 2.0 v1.16 Errata version 1.6 or higher

The Trusted Computing Group (TCG) has identified that the solution to the problem involves using one of the fixed versions of the TPM Specification. However, OEMs can only resolve this once Windows 11 users limit physical access to their devices.

The TPM 2.0 vulnerabilities were discovered by Quarkslab’s researchers Francisco Falcon and Ivan Arce. The vulnerabilities are tracked as CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write). The CERT Coordination Center has published an alert for vendors for months. Lenovo is the only major OEM issuing a security advisory warning that CVE-2023-1017 impacts Nuvoton TPM 2.0 chips.