MCP Will Be Built Into Windows To Make an 'Agentic OS' - Bringing Security Concerns (devclass.com) 38
It's like "a USB-C port for AI applications..." according to the official documentation for MCP — "a standardized way to connect AI models to different data sources and tools."
And now Microsoft has "revealed plans to make MCP a native component of Windows," reports DevClass.com, "despite concerns over the security of the fast-expanding MCP ecosystem." In the context of Windows, it is easy to see the value of a standardised means of automating both built-in and third-party applications. A single prompt might, for example, fire off a workflow which queries data, uses it to create an Excel spreadsheet complete with a suitable chart, and then emails it to selected colleagues. Microsoft is preparing the ground for this by previewing new Windows features.
— First, there will be a local MCP registry which enables discovery of installed MCP servers.
— Second, built-in MCP servers will expose system functions including the file system, windowing, and the Windows Subsystem for Linux.
— Third, a new type of API called App Actions enables third-party applications to expose actions appropriate to each application, which will also be available as MCP servers so that these actions can be performed by AI agents. According to Microsoft, "developers will be able to consume actions developed by other relevant apps," enabling app-to-app automation as well as use by AI agents.
MCP servers are a powerful concept but vulnerable to misuse. Microsoft corporate VP David Weston noted seven vectors of attack, including cross-prompt injection where malicious content overrides agent instructions, authentication gaps because "MCP's current standards for authentication are immature and inconsistently adopted," credential leakage, tool poisoning from "unvetted MCP servers," lack of containment, limited security review in MCP servers, supply chain risks from rogue MCP servers, and command injection from improperly validated inputs. According to Weston, "security is our top priority as we expand MCP capabilities."
Security controls planned by Microsoft (according to the article):
And now Microsoft has "revealed plans to make MCP a native component of Windows," reports DevClass.com, "despite concerns over the security of the fast-expanding MCP ecosystem." In the context of Windows, it is easy to see the value of a standardised means of automating both built-in and third-party applications. A single prompt might, for example, fire off a workflow which queries data, uses it to create an Excel spreadsheet complete with a suitable chart, and then emails it to selected colleagues. Microsoft is preparing the ground for this by previewing new Windows features.
— First, there will be a local MCP registry which enables discovery of installed MCP servers.
— Second, built-in MCP servers will expose system functions including the file system, windowing, and the Windows Subsystem for Linux.
— Third, a new type of API called App Actions enables third-party applications to expose actions appropriate to each application, which will also be available as MCP servers so that these actions can be performed by AI agents. According to Microsoft, "developers will be able to consume actions developed by other relevant apps," enabling app-to-app automation as well as use by AI agents.
MCP servers are a powerful concept but vulnerable to misuse. Microsoft corporate VP David Weston noted seven vectors of attack, including cross-prompt injection where malicious content overrides agent instructions, authentication gaps because "MCP's current standards for authentication are immature and inconsistently adopted," credential leakage, tool poisoning from "unvetted MCP servers," lack of containment, limited security review in MCP servers, supply chain risks from rogue MCP servers, and command injection from improperly validated inputs. According to Weston, "security is our top priority as we expand MCP capabilities."
Security controls planned by Microsoft (according to the article):
- A proxy to mediate all MCP client-server interactions. This will enable centralized enforcement of policies and consent, as well as auditing and a hook for security software to monitor actions.
- A baseline security level for MCP servers to be allowed into the Windows MCP registry. This will include code-signing, security testing of exposed interfaces, and declaration of what privileges are required.
- Runtime isolation through what Weston called "isolation and granular permissions."
MCP was introduced by Anthropic just 6 months ago, the article notes, but Microsoft has now joined the official MCP steering committee, "and is collaborating with Anthropic and others on an updated authorization specification as well as a future public registry service for MCP servers."
Those who do not watch movies are doomed... (Score:5, Informative)
Those who do not watch movies are doomed to live them.
Here we have someone literally making an AI MCP, as if they have never watched TRON!
Re: (Score:3)
"I've gotten 2,415 times smarter since then."
Re: (Score:2)
Greetings, highlander!
Wait, wrong movie.
Umm... Made it!
Shit, still wrong movie. Close though.
Err... Nonononononono!
Ah, finally.
Whew (Score:2)
Another reason to be happy my systems are (officially) too old to to run Windows 11 -- though they run Windows 10 and Linux Mint just fine...
Re: (Score:2)
Don't worry, SystemD will copy it just like it copied the idea of svhost.exe of the pre-win10 days when it was a giant blob of minor process. And even if a minor one crashed, bluescreen. It's windows lite.
What could go wrong? (Score:3)
I know that there is such a thing as too proscriptive; but 'MCP' seems to be really working for that USB-C comparison; in the specific sense of possibly being anything and promising nothing that people like so much with type-C connectors.
Re: (Score:2)
Every API and protocol is a USB-C plug now.
David Weston is a liar. (Score:5, Informative)
"security is our top priority as we expand MCP capabilities."
This is a lie because the AI components being installed is completely unnecessary in the first place. Furthermore, if security was the top priority then it would be disable by default and limited to users who choose to install it. Since these are not how it's being deployed it's clear that David Weston is an untrustworthy piece of shit that will lie to you for personal gain.
Re:David Weston is a liar. (Score:4, Interesting)
Hahahah, reminds me of one bank claiming "Security is our highest priority!". They did not even verify the certificate of their own app as we found. You could put an SSL-breaker prosy in between and read everything. We even did a transfer (seeing everything including amount, TAN, etc.) and it went through.
This is an instance of the "Big Lie" technique, i.e. if your product sucks, just claim it is great. Many people fall for that.
Re: David Weston is a liar. (Score:1)
Don't they write off billions per year for potential hacking losses, and insure themselves for even more, then pay you some crumbs to make a show of pretending that security matters?
Re: (Score:3)
Depends. My point was that whenever somebody claims "Security is our highest priority", I get _very_ suspicuous.
Real level (Score:1)
Hahahah, reminds me of one bank claiming "Security is our highest priority!"
One small interactive play I attended a while ago was in a SciFi setting where I think we all started off as passengers of some kind... anyway in the briefing they gave us they reminded us all that "Your safety is their 7th highest priority" and never has something felt more real. :-)
Re: (Score:2)
This trash seems to be flooding into the OS at an ever-increasing tempo. Each year Windows gets less suitable for serious business.
Yes, Microsoft has always had the wrong focus, so that's old news. But it seems like the sheer volume of crap, and the deepness of its integration with the system, is increasing. Run through services.msc on W10 and have a fun time figuring out which ones correspond to all these BS features. Because if you go through the normal Settings GUI, what you pick there is likely to overr
Re: (Score:3)
Things definitely seem to be degrading at an accelerating rate.
Re: (Score:2)
Most of what a computer is capable of is unnecessary to most users. But the disabled by default option creates additional hurdles that are a general problem to users, especially if something requires installation. Windows already has managed this through network categorisation. You can bet your bottom dollar this will only work if you tick the network connection as a private network - in which case there's no security issue unless you are your own evil enemy.
it's clear that David Weston is an untrustworthy piece of shit that will lie to you for personal gain.
Or more accurately security is his top priority,
Re: (Score:2)
You can bet your bottom dollar this will only work if you tick the network connection as a private network
Oh sweet summer child, that is clearly not what's happening.
Or more accurately security is his top priority, within the bounds given to him
Which means "top priority" is actually a lie since the bounds have a nigher priority.
and calling someone a piece of shit... well... give how you talk about others consider looking in the mirror.
I despise liars and if you lie for personal gain then you should not be allowed to be part of society.
History Repeats? (Score:4, Informative)
OLE / COM+ by any other name, perhaps?
Re: History Repeats? (Score:1)
Can I just vibe code it now?
"Once youâ(TM)ve provided the documentation, clearly describe to Claude what kind of server you want to build. Be specific about:
What resources your server will expose
What tools it will provide
Any prompts it should offer
What external systems it needs to interact with
For example:
Copy
Build an MCP server that:
- Connects to my company's PostgreSQL database
- Exposes table schemas as resources
- Provides tools for running read-only SQL queries
- Includes prompts for common data anal
Re: (Score:3)
There's nothing actually 'AI' related about the interface; aside from it happening to originate through the usual "industry runner-up suddenly decides that open interoperability is a critical virtue" process; and any novelty is usually
Re: History Repeats? (Score:3)
Re: (Score:3)
Control the agenda. People in the MS world will become dependent on it and it becomes the defacto standard in a narrow industry segment. Its a pretty common business tactic. You gotta start somewhere.
Q: How many Microsoft engineers are required to screw in a lightbulb?
A: None, because Microsoft can declare Darkness the new Standard.
The Master Control Program has come a long way (Score:2, Funny)
Still evil as fuck...
Re: (Score:1)
I so want mod points for this! :)
Re: (Score:2, Offtopic)
Thanks! Your thought is appreciated.
Re: (Score:2)
END OF LINE.
Benefits to big tech (Score:2)
You would want to grab the steering wheel on those standards before your competitor does.
Control the platform, Like Google and Android
How is this different than installing a root kit? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
I'm out (Score:3)
Nopeing right out of this shit.
Re: (Score:1)
But most ain't gonna switch to Linux. We B doomed
You want to what? (Score:2)
Hook your LLM garbage to my file system and other resources? Just no.
Will I be able to "re-plumb" your MCP stuff to data stores of my own choosing? Like in the movie "Brazil" where Tuttle re-connects the environmental suits of the Central Services technicians to the sewer line.
The real top priority is profit (Score:2)