Microsoft AutoJack: RCE via AI Browsing Agents Exposed

Microsoft's Defender Security Research Team has disclosed a new vulnerability called AutoJack. This vulnerability allows for remote code execution through AI browsing agents. Here's the thing: AutoJack can let a malicious webpage, opened by an AI browsing agent, execute arbitrary processes on your computer. This means host-level remote code execution, and it doesn't require any credentials. Three weaknesses are chained together to make this possible. First, there's an origin allowlist bypass because browsing agents run as localhost. Second, there's missing authentication on certain endpoints. And finally, unsafe parameter handling passes attacker-controlled values directly to shell commands. What's important to note is that the stable PyPI release of AutoGen Studio, version 0.4.2.2, is not affected. However, two pre-release builds, 0.4.3.dev1 and 0.4.3.dev2, do contain the vulnerable handler and are still available. A fix exists in GitHub, but a patched stable release has not yet shipped. This matters because it highlights a potential security risk in certain AI agent setups.