MCP Will Be Built Into Windows To Make an 'Agentic OS' - Bringing Security Concerns (devclass.com) 57
It's like "a USB-C port for AI applications..." according to the official documentation for MCP — "a standardized way to connect AI models to different data sources and tools."
And now Microsoft has "revealed plans to make MCP a native component of Windows," reports DevClass.com, "despite concerns over the security of the fast-expanding MCP ecosystem." In the context of Windows, it is easy to see the value of a standardised means of automating both built-in and third-party applications. A single prompt might, for example, fire off a workflow which queries data, uses it to create an Excel spreadsheet complete with a suitable chart, and then emails it to selected colleagues. Microsoft is preparing the ground for this by previewing new Windows features.
— First, there will be a local MCP registry which enables discovery of installed MCP servers.
— Second, built-in MCP servers will expose system functions including the file system, windowing, and the Windows Subsystem for Linux.
— Third, a new type of API called App Actions enables third-party applications to expose actions appropriate to each application, which will also be available as MCP servers so that these actions can be performed by AI agents. According to Microsoft, "developers will be able to consume actions developed by other relevant apps," enabling app-to-app automation as well as use by AI agents.
MCP servers are a powerful concept but vulnerable to misuse. Microsoft corporate VP David Weston noted seven vectors of attack, including cross-prompt injection where malicious content overrides agent instructions, authentication gaps because "MCP's current standards for authentication are immature and inconsistently adopted," credential leakage, tool poisoning from "unvetted MCP servers," lack of containment, limited security review in MCP servers, supply chain risks from rogue MCP servers, and command injection from improperly validated inputs. According to Weston, "security is our top priority as we expand MCP capabilities."
Security controls planned by Microsoft (according to the article):
And now Microsoft has "revealed plans to make MCP a native component of Windows," reports DevClass.com, "despite concerns over the security of the fast-expanding MCP ecosystem." In the context of Windows, it is easy to see the value of a standardised means of automating both built-in and third-party applications. A single prompt might, for example, fire off a workflow which queries data, uses it to create an Excel spreadsheet complete with a suitable chart, and then emails it to selected colleagues. Microsoft is preparing the ground for this by previewing new Windows features.
— First, there will be a local MCP registry which enables discovery of installed MCP servers.
— Second, built-in MCP servers will expose system functions including the file system, windowing, and the Windows Subsystem for Linux.
— Third, a new type of API called App Actions enables third-party applications to expose actions appropriate to each application, which will also be available as MCP servers so that these actions can be performed by AI agents. According to Microsoft, "developers will be able to consume actions developed by other relevant apps," enabling app-to-app automation as well as use by AI agents.
MCP servers are a powerful concept but vulnerable to misuse. Microsoft corporate VP David Weston noted seven vectors of attack, including cross-prompt injection where malicious content overrides agent instructions, authentication gaps because "MCP's current standards for authentication are immature and inconsistently adopted," credential leakage, tool poisoning from "unvetted MCP servers," lack of containment, limited security review in MCP servers, supply chain risks from rogue MCP servers, and command injection from improperly validated inputs. According to Weston, "security is our top priority as we expand MCP capabilities."
Security controls planned by Microsoft (according to the article):
- A proxy to mediate all MCP client-server interactions. This will enable centralized enforcement of policies and consent, as well as auditing and a hook for security software to monitor actions.
- A baseline security level for MCP servers to be allowed into the Windows MCP registry. This will include code-signing, security testing of exposed interfaces, and declaration of what privileges are required.
- Runtime isolation through what Weston called "isolation and granular permissions."
MCP was introduced by Anthropic just 6 months ago, the article notes, but Microsoft has now joined the official MCP steering committee, "and is collaborating with Anthropic and others on an updated authorization specification as well as a future public registry service for MCP servers."
Those who do not watch movies are doomed... (Score:5, Informative)
Those who do not watch movies are doomed to live them.
Here we have someone literally making an AI MCP, as if they have never watched TRON!
Re: (Score:3)
"I've gotten 2,415 times smarter since then."
Re: (Score:2)
Greetings, highlander!
Wait, wrong movie.
Umm... Made it!
Shit, still wrong movie. Close though.
Err... Nonononononono!
Ah, finally.
Whew (Score:4, Funny)
Another reason to be happy my systems are (officially) too old to to run Windows 11 -- though they run Windows 10 and Linux Mint just fine...
Re: (Score:1)
Windows 11 be leaving Linux in the dust if it can do this decently.
Nice try, Satya. You ain't fooling no-one.
Re: (Score:2)
Don't worry, SystemD will copy it just like it copied the idea of svhost.exe of the pre-win10 days when it was a giant blob of minor process. And even if a minor one crashed, bluescreen. It's windows lite.
What could go wrong? (Score:4, Insightful)
I know that there is such a thing as too proscriptive; but 'MCP' seems to be really working for that USB-C comparison; in the specific sense of possibly being anything and promising nothing that people like so much with type-C connectors.
Re: (Score:3)
Every API and protocol is a USB-C plug now.
David Weston is a liar. (Score:5, Informative)
"security is our top priority as we expand MCP capabilities."
This is a lie because the AI components being installed is completely unnecessary in the first place. Furthermore, if security was the top priority then it would be disable by default and limited to users who choose to install it. Since these are not how it's being deployed it's clear that David Weston is an untrustworthy piece of shit that will lie to you for personal gain.
Re:David Weston is a liar. (Score:5, Interesting)
Hahahah, reminds me of one bank claiming "Security is our highest priority!". They did not even verify the certificate of their own app as we found. You could put an SSL-breaker prosy in between and read everything. We even did a transfer (seeing everything including amount, TAN, etc.) and it went through.
This is an instance of the "Big Lie" technique, i.e. if your product sucks, just claim it is great. Many people fall for that.
Re: David Weston is a liar. (Score:1)
Don't they write off billions per year for potential hacking losses, and insure themselves for even more, then pay you some crumbs to make a show of pretending that security matters?
Re: David Weston is a liar. (Score:4, Insightful)
Depends. My point was that whenever somebody claims "Security is our highest priority", I get _very_ suspicuous.
According to Weston "security is our top priority" (Score:2)
He didn't state what security, did he?
I expect he means security of MS revenue flow.
Real level (Score:1)
Hahahah, reminds me of one bank claiming "Security is our highest priority!"
One small interactive play I attended a while ago was in a SciFi setting where I think we all started off as passengers of some kind... anyway in the briefing they gave us they reminded us all that "Your safety is their 7th highest priority" and never has something felt more real. :-)
Re: (Score:2)
Hehehe, nice!
Re: (Score:2)
It worked for republicans... they just lie and take credit for what the last guy did to fix things after they broken the previous time.
Re: (Score:3)
This trash seems to be flooding into the OS at an ever-increasing tempo. Each year Windows gets less suitable for serious business.
Yes, Microsoft has always had the wrong focus, so that's old news. But it seems like the sheer volume of crap, and the deepness of its integration with the system, is increasing. Run through services.msc on W10 and have a fun time figuring out which ones correspond to all these BS features. Because if you go through the normal Settings GUI, what you pick there is likely to overr
Re: (Score:3)
Things definitely seem to be degrading at an accelerating rate.
Re: (Score:2)
Most of what a computer is capable of is unnecessary to most users. But the disabled by default option creates additional hurdles that are a general problem to users, especially if something requires installation. Windows already has managed this through network categorisation. You can bet your bottom dollar this will only work if you tick the network connection as a private network - in which case there's no security issue unless you are your own evil enemy.
it's clear that David Weston is an untrustworthy piece of shit that will lie to you for personal gain.
Or more accurately security is his top priority,
Re: (Score:2)
You can bet your bottom dollar this will only work if you tick the network connection as a private network
Oh sweet summer child, that is clearly not what's happening.
Or more accurately security is his top priority, within the bounds given to him
Which means "top priority" is actually a lie since the bounds have a nigher priority.
and calling someone a piece of shit... well... give how you talk about others consider looking in the mirror.
I despise liars and if you lie for personal gain then you should not be allowed to be part of society.
Re: (Score:2)
I despise liars and if you lie for personal gain then you should not be allowed to be part of society.
How does one go about disallowing someone from being part of society?
Re: David Weston is a liar. (Score:2)
Putting a felon in prison pretty much accomplished this goal
Re: (Score:2)
nailed it.
Re: (Score:1)
Oh sweet summer child, that is clearly not what's happening.
Show me the code. I mean you seem to be clear about the implementation already. Show me that this works differently than every other discovery type protocol currently used in Windows. You must have evidence to make a claim that this is completely architecturally different from everything else right?
Which means "top priority" is actually a lie since the bounds have a nigher priority.
That's not how bounds work. If you get told to make a knife, your top priority can still be making the safest possible knife that still cuts something. The actual safe option is to not have a knife. Learn the dif
Re: (Score:2)
Show me that this works differently than every other discovery type protocol currently used in Windows.
I'm going to chalk this up to miscommunication because MCP is not a discovery protocol, it's an client/server protocol which means it could be between your PC and something on the internet. How Microsoft will manage MCP connectivity has only been defined as "A proxy to mediate all MCP client-server interactions.". My point was that MCP clients would likely be interfacing with a server on the internet rather than an MCP server on one's LAN.
That's not how bounds work.
It depends on context. When someone speaks for a company, I it in the
Re: David Weston is a liar. (Score:4, Informative)
His personal top priority could be security, let me admit this for the sake of argument. But... he said "our top priority", ie "MS' top priority", as he represents Microsoft. And no, security definitely isn't Microsoft's top priority. Hence yes, Mr. Weston is a liar.
Re: (Score:2)
Nailed it.
Re: (Score:3)
I was going to say that he mis-explained Microsoft's "solution" here:
A proxy to mediate all MCP client-server interactions. This will enable centralized [collection and monetization of even more user data by M$FT].
History Repeats? (Score:4, Informative)
OLE / COM+ by any other name, perhaps?
Re: (Score:1)
Re: History Repeats? (Score:1)
Can I just vibe code it now?
"Once youâ(TM)ve provided the documentation, clearly describe to Claude what kind of server you want to build. Be specific about:
What resources your server will expose
What tools it will provide
Any prompts it should offer
What external systems it needs to interact with
For example:
Copy
Build an MCP server that:
- Connects to my company's PostgreSQL database
- Exposes table schemas as resources
- Provides tools for running read-only SQL queries
- Includes prompts for common data anal
Re:History Repeats? (Score:4, Insightful)
There's nothing actually 'AI' related about the interface; aside from it happening to originate through the usual "industry runner-up suddenly decides that open interoperability is a critical virtue" process; and any novelty is usually a gold rush for exploiting naïve and optimistic implementations by people rushing to ship first or coming in without properly understanding the problem.
Re: History Repeats? (Score:3)
Re: (Score:3)
Control the agenda. People in the MS world will become dependent on it and it becomes the defacto standard in a narrow industry segment. Its a pretty common business tactic. You gotta start somewhere.
Q: How many Microsoft engineers are required to screw in a lightbulb?
A: None, because Microsoft can declare Darkness the new Standard.
Definition of MCP (Score:1)
Possibilities:
Master Control Program (Tron), a computer character from the 1982 film Tron
Microsoft Certified Partner, an independent company that provides Microsoft-related products or services
Microsoft Certified Professional, a certification from Microsoft
Model Context Protocol [wikipedia.org], a standard for applications to provide context to LLMs
Multi-chip package, in semiconductor packaging technology
Re: Definition of MCP (Score:2)
MCP (Master Control Program) is the default OS for the Burroughs large systems (B5xxx and higher) and their modern descendant, Unisys Clearpath MCP.
The Master Control Program has come a long way (Score:3, Funny)
Still evil as fuck...
Re: (Score:1)
I so want mod points for this! :)
Re: (Score:2, Offtopic)
Thanks! Your thought is appreciated.
Re: The Master Control Program has come a long way (Score:2)
Seriously, though, from TFS, I have no idea what MCP stands for. Still don't, since I didn't click the link to TFA.
Re: (Score:2)
END OF LINE.
Benefits to big tech (Score:2)
You would want to grab the steering wheel on those standards before your competitor does.
Control the platform, Like Google and Android
How is this different than installing a root kit? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
I'm out (Score:3)
Nopeing right out of this shit.
Re: (Score:1)
But most ain't gonna switch to Linux. We B doomed
Re: (Score:2)
You want to what? (Score:3)
Hook your LLM garbage to my file system and other resources? Just no.
Will I be able to "re-plumb" your MCP stuff to data stores of my own choosing? Like in the movie "Brazil" where Tuttle re-connects the environmental suits of the Central Services technicians to the sewer line.
The real top priority is profit (Score:2)
Bridges in Brooklyn (Score:2)
All the marketing wank sounds great, I want all of that. But only if it can do that on my machine, without a network connection or a central server.
If any queries need to leave my machine, then I do not want this thing at all, and would consider it a virus.
mcp? ... (Score:1)
... Master Control Program anyone? no? Tron?
vendor lock in (Score:2)
this sounds like the story of internet explorer being bundled with windows in the early internet days.