Microsoft Opens Windows to External AI Through New Protocol—And Yes, It’s a Potential Security Nightmare
You asked for automation, but what you’ll get is a supply chain of vulnerabilities baked into the Windows kernel.Microsoft has unveiled ambitious plans to integrate the Model Context Protocol (MCP) directly into the Windows operating system. The company announced this at the Build developer conference in Seattle, despite serious concerns about the security risks posed by the rapidly evolving MCP ecosystem.
MCP is a relatively new protocol introduced by Anthropic just six months ago. Initially conceived as a way for AI applications to access data across different systems, it quickly evolved into a more universal automation tool. The protocol is based on JSON-RPC 2.0 and allows MCP servers to advertise their capabilities and accept commands to execute them.
For Windows, the value of a standardized automation method—covering both built-in and third-party apps—is clear. A single simple request could trigger a chain of actions: fetching data, generating an Excel spreadsheet with the right chart, and emailing it to colleagues.
Microsoft is laying the groundwork for this by announcing new Windows features. First, a local MCP registry will help locate installed MCP servers. Second, built-in MCP servers will provide access to system functions, including the file system, window management, and the Windows Subsystem for Linux. Third, a new API type called App Actions will let third-party apps expose app-specific actions, which will also be accessible as MCP servers.
According to Microsoft, developers will be able to leverage actions created by other relevant apps, enabling cross-app automation and use by AI agents. Among the companies integrating MCP functionality into their Windows apps are Anthropic, Figma, and Perplexity. For App Actions, Zoom, Todoist, and Spark Mail have joined the initiative.
However, MCP servers—despite their power—are vulnerable to abuse. Microsoft Corporate Vice President David Weston outlined seven attack vectors, including:
- Inter-prompt injections, where malicious content overrides an agent’s instructions
- Authentication gaps due to immature standards
- Credential leaks
- Tool poisoning via unverified MCP servers
- Lack of isolation
- Limited security auditing
- Supply chain risks
- A proxy to mediate all MCP client-server interactions
- A baseline security requirement for servers included in the Windows registry
- Runtime isolation with granular permissions
The company has also joined the official MCP steering committee alongside GitHub and is collaborating with Anthropic and others on an updated authorization specification and a future public registry service for MCP servers.
Build also introduced NL Web (Natural Language Web), a new project that lets websites and apps serve content via natural language queries. It was developed by Ramanathan Guha, a former Google employee now serving as a Microsoft Technical Fellow, best known for creating the RDF standard. Every NL Web instance also functions as an MCP server.
MCP and App Actions in Windows can be seen as a new way to automate both Windows itself and other apps. In some ways, it resembles COM (Component Object Model) and its derivatives, which already enable inter-app communication and automation in Windows—but through a binary interface rather than JSON-RPC. COM proved to be a powerful tool but also a source of security headaches—just think of ActiveX in Internet Explorer and OLE Automation in Office.
While it’s encouraging that Microsoft has placed security at the core of its MCP strategy, both developers and enterprises will remain cautious. As Weston noted, "MCP unlocks powerful new capabilities—but also introduces new risks."
