Windows 11 vs. past/present vulnerabilities

[JustGeorge]

This is a serious question because I really don't know. Not looking to OS bash. Wanting technical answers. 

 

What past/present vulnerabilities would've been stopped dead in their tracks by a TPM, Secureboot and the explicit cpu requirements for Win11?

Edited July 4, 2021 by JustGeorge

[+Biscuits Brown MVC]

I don't think anyone knows 100% so I'll through these out as speculation. TPM and secure boot would be a good block against rootkit based infection so requiring these could make a system more secure.  As for CPU generation, the common thought is it has something to do with spectre/meltdown remediations but who knows. 

[+Tantawi Subscriber²]

Well, not directly because of TPM, but if you have a TPM activated you are more likely than not to use Bitlocker drive encryption, which means no problem of data leaks if your laptop or PC gets stolen.

[+Warwagon MVC]

8 minutes ago, Tantawi said:

Well, not directly because of TPM, but if you have a TPM activated you are more likely than not to use Bitlocker drive encryption, which means no problem of data leaks if your laptop or PC gets stolen.

In that case make TPM a requirement if you want to use that feature, instead of forcing everyone to have it.

[+Tantawi Subscriber²]

12 minutes ago, warwagon said:

In that case make TPM a requirement if you want to use that feature, instead of forcing everyone to have it.

But it is available in all PCs/motherboards shipped since 2015... and what is the percentage of people caring to enable/use it? not much I'd say outside the business environments (heck, believe it or not, even some multi billion $$ companies' IT departments don't bother to encrypt their employees laptops) 

I think it is a step in the right direction, IMHO.

[JustGeorge]

What about ransomware? Any additional defenses against that scourge?

[Ci7]

5 hours ago, Tantawi said:

But it is available in all PCs/motherboards shipped since 2015... and what is the percentage of people caring to enable/use it? not much I'd say outside the business environments (heck, believe it or not, even some multi billion $$ companies' IT departments don't bother to encrypt their employees laptops) 

I think it is a step in the right direction, IMHO.

stuck with perfectly fine i7 5930/X99 motherboard with TPM 1.3 Connector

 

 

[adrynalyne]

18 minutes ago, Ci7 said:

stuck with perfectly fine i7 5930/X99 motherboard with TPM 1.3 Connector

 

 

1.2?

[+Tantawi Subscriber²]

36 minutes ago, JustGeorge said:

What about ransomware? Any additional defenses against that scourge?

Partially, see: https://www.microsoft.com/security/blog/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/?source=mmpc where Secure Boot can help stop the encryption process if the computer rebooted shortly after infection. Plus other measures.

And while such protection is totally possible to have with Windows 10, the keyword here is to "enforce it" with Windows 11.

[Ci7]

1 hour ago, adrynalyne said:

1.2?

 

i think so

[goretsky Supervisor]

Hello,

A couple of attack styles come to mind:

• Some of the initial round of speculative execution attacks, i.e., first generation of Spectre and Meltdown.
• malicious software that infects firmware, such as Mebromi and perhaps even Lojax.

Please keep in mind this is strictly off the top of my head.  I was thinking more about types of attacks that might be blocked a completely working set of TPM + SecureBoot + modern processors with fully-patched microcode.

 

Regards,

 

Aryeh Goretsky

 

[George P Global Moderator]

When it comes to the topic of TPM and Windows everyone talks about bitlocker, but I'm pretty sure that's not the only thing Windows uses/needs TPM for.   Maybe someone should make a detailed list, if MS doesn't have one already.  

[+Tantawi Subscriber²]

1 hour ago, George P said:

When it comes to the topic of TPM and Windows everyone talks about bitlocker, but I'm pretty sure that's not the only thing Windows uses/needs TPM for.   Maybe someone should make a detailed list, if MS doesn't have one already.  

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview#practical-applications