Microsoft has issued a critical security warning to Windows 11 users regarding a new experimental feature designed to automate tasks on PC.
The company advises that the new “Agent Workspace” should remain disabled unless users fully understand the severe security implications, including the potential for hackers to install malware or steal data through AI manipulation.
Read more: Driven by TikTok trends, new beauty brands target children
The Risk: Cross-Prompt Injection (XPIA)
The warning centers on a vulnerability known as Cross-Prompt Injection Attacks (XPIA). As Microsoft transitions Windows 11 into an “agentic OS,” these new AI agents require read-and-write access to user files to perform background tasks.
However, this access creates a dangerous loophole. If an AI agent processes a document or webpage containing hidden malicious instructions, it can be tricked into overriding its original programming. Microsoft explicitly warns that “malicious content embedded in UI elements or documents can override agent instructions,” potentially leading to:
- Data Exfiltration: Sending your private files to a remote server.
- Malware Installation: Downloading and executing viruses or spyware without your knowledge.
Because the AI agent has permissions to modify software and access user profiles (specifically directories like Documents, Downloads, and Desktop), a successful attack could bypass traditional security checks.
What is the ‘Agent Workspace’?
The Agent Workspace is a new, experimental environment currently rolling out to select Windows Insiders. It creates a simplified, isolated user account that runs in the background, allowing AI assistants like Copilot to perform complex, multi-step tasks independently while you continue to use your computer.
Unlike standard applications, these “agentic” accounts are granted broader scoped authorization to interact with your file system. While this enables powerful automation, it also significantly widens the attack surface for cybercriminals.
Microsoft’s Safety Measures
Recognizing the danger, Microsoft has implemented several safeguards:
- Disabled by Default: The feature is turned off out-of-the-box. Users must manually enable it in settings, acknowledging the risks.
- Runtime Isolation: The agent operates in a separate “container” with its own distinct user account, theoretically preventing it from accessing the main administrator privileges of the device.
- User Control: Microsoft states that users retain “full control” and can manage access or stop agents at any time.
Expert Advice: Should You Enable It?
For the vast majority of users, the answer is no. The feature is currently intended for developers and technical experts who need to test the capabilities of agentic AI.
Microsoft describes security in this area as a “continuous commitment,” admitting that the technology will need to evolve to meet these new threats. Until these vulnerabilities are patched and the “agentic” model is proven secure, enabling these features introduces unnecessary risk to your personal data and system integrity.
Story by Samaa with additional input by GVS