There's many different kinds of TPMs. The whole point is that they're unique and "unhackable" cryptomodules, "one-of-a-kind" keys which sometimes also contain part of the lock mechanism. The ones I'm familiar with cannot be reflashed, by design, so there's no chance their firmware can be compromised by an attacker. Other types exist and some of these might have flashable firmwares.
The exact technical details of this exploit are not public. The summarized vulnerability metrics show that this is a pre-emptive "official fix" for a "highly confidential" "highly technical" "proof-of-concept" "low overall threat" network exploit. Specifically noted to not affect Windows Clients unless they run BitLocker, and already corrected by Microsoft in all affected consumer Windows versions except Win7 (which still needs the firmware security update). It's basically not a consumer issue and primarily affects only HP, Lenovo, Fujitsu, and WinMagic enterprise products - unless, as a consumer, you obtained an Infineon TPM meant to be deployed in these specific enterprise platforms.
This is partly accurate, but I'm not sure you understand the group of affected users here. As the OP showed above, ASUS manufactures TPMs that are vulnerable to this exploit. HP, Lenovo, Fujitsu, etc aren't the only affected platforms, they are just the manufacturers who have acknowledged the vulnerability and are working on updating their firmware with Infineon's fix. It's not accurate to say that this isn't a consumer issue, and these TPMs are certainly not only meant to be deployed in those specific enterprise platforms. Microsoft has a workaround in place, but it's not a fix. ASUS needs to update the firmware on their motherboards with TPM slots to address this.
@CodeSlicer, @Theliel -
I suppose I should agree, lol. As long as ASUS still maintains warranty on motherboards which use these TPMs they should provide active support for the latest TPM security updates. But updating EOL ASUS motherboards would be optional, not required.
That being said, ASUS may elect not to do so unless they consider potential liability issues too risky or too costly.
Proof-of-concept hack vs my TPM, proof-of-concept hack vs my IME, in-the-wild hack vs my WiFi, another nasty broken new Windows build ... what an insecure world, lol.