- Microsoft’s Defender Security Research team reveals ‘AutoJack,’ a vulnerability chain in AutoGen Studio allowing RCE via malicious websites.
- The flaws included misuse of the localhost channel, ignored connection checks, and arbitrary code execution, allowing agents to execute programs provided by attackers.
- The issue only existed in early versions of GitHub, fixed before release; highlights the need for strict authentication and isolation of local control planes
Microsoft’s Defender Security Research team has revealed a vulnerability chain in AutoGen Studio that allows a single malicious website to execute remote code (RCE) on a device running an AI agent.
AutoGen Studio is a program created by Microsoft Research to develop AI agents. The vulnerability chain has been dubbed “AutoJack” and consists of three flaws that, when examined separately, are not particularly troubling. However, chained together is a whole different story.
“The technique, which we call AutoJack, causes the agent to become the attacker’s last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on,” Microsoft explained in its report.
Fix bugs
First, AutoGen Studio had a local control channel that only accepted connections from “localhost”, which is a good way to block outside attackers.
However, an AI agent’s web browser also counts as “localhost”, meaning these connections will also be accepted. Then for this particular string the connection checks were ignored.
The application had several ways to require a username and password, but the part of the code handling that specific local channel was left wide open.
Finally, the chain would perform almost anything asked of it. Microsoft researchers successfully made an arbitrary program work, meaning malicious actors could do the same, but with malicious code.
In theory, the attack would work like this: the victim would ask their AI agent to summarize a specific website. In doing so, the agent would be prompted to download and execute malicious code that could range from backdoor malware to information stealers.
The good news is that Microsoft found this issue and reported it before the bug reached regular users. The official downloadable version of AutoGen Studio never had this problem, since it only existed in an early version in development on GitHub. The AutoGen team has since managed to repair it.
“If an agent can browse untrusted pages and also communicate with privileged local services, loopback can become an attack surface and control planes must be authenticated, authorized and isolated,” Microsoft concluded.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
