Difference are ‘stark’: Principal AI Security Researcher at LayerX Security Roy Paz said that he tested DXT against Perplexity’s Comet, OpenAI’s Atlas, and Microsoft’s CoPilot, and the differences were stark.”When you ask Copilot, Atlas, or Perplexity to use a tool, then it will use that tool for you. But Claude DXT allows tools to talk to other tools, [such as] in Google Calendar to Desktop Commander, and may do so without consulting the user in order to complete a task,” Paz said. With those other vendors, he noted, “if the agent wants to do something that goes beyond the scope of the user’s explicit instruction, it will ask for permission, but with Claude DXT’s, the user is not consulted.”LayerX Head of Product Strategy Eyal Arazi also stressed Anthropic’s different architectural and settings choices. Most AI model providers are currently developing agentic products based on a browser platform, a highly sandboxed environment that is strongly insulated from the underlying operating system, he pointed out. This means that while agentic AI browsers have their own vulnerabilities, compromising a browser doesn’t give access to the underlying file system, or provide the ability to execute remote code directly on the underlying OS. “Claude, however, does things differently,” Arazi said. “It is a browser extension currently only on Chrome, with a paired MCP-based desktop agent. Although some of the browser solutions such as Dia, Microsoft and Google are not yet fully agentic, Claude’s solution is truly agentic.” Unlike browsers, it does have direct access to the file system so the combination of full agentic capabilities and direct file system access creates a dangerous combination, he noted. “This is why it is specifically a problem of Anthropic’s implementation, that other agentic browsers do not have.”
Onus on users, says Anthropic: Anthropic confirmed much of the report, but said that the onus is on users to use the products properly, based on their environments.”Claude Desktop’s MCP integration is a local development tool where users explicitly configure and grant permissions to servers they choose to run,” said Anthropic spokesperson Jennifer Martinez. “To be clear, the situation described in the post requires a targeted user to have intentionally installed these tools and granted permission to run them without prompts. We recommend that users exercise the same caution when installing MCP servers as they do when installing [other] third-party software.”Martinez added that users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user’s permissions. “Because users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user’s configuration choices and their system’s existing security controls,” she said. “Prompt injections are an issue all LLMs are susceptible to, and Anthropic, along with the rest of the AI industry, are working on combating them.”
Plenty of blame to share: Fault for the weakness can’t be attributed to any one source, Fisher said; that there is plenty of blame to share, including the slow pace of industry standards. “Anthropic or any AI company can’t fix what isn’t well defined. Without a common standard, at best they could produce a bespoke whack-a-mole rights implementation,” he pointed out. “The rate of innovation, in my opinion, far exceeds the ability to identify a common security standard for implementation around the results. People are working on the challenge [in that] there is a group working on an MCP security standard.”But it’s a work in progress. “Right now,” he said, “this is a build fast and innovate [approach], which largely relies on existing underlying security controls. Existing systems just can’t contend with what is going to be required to articulate what is needed or allowed within AI’s reach.”However, Frank Dickson, group vice president for security and trust at IDC, pushed back against the suggestion that this is a problem common to all autonomous agents. “This is not simply a fact of life, given autonomous agents. It is a fact of a new software company extending its offering into an unfamiliar space, for which they do not understand the implications,” Dickson said. “This bug is more about reinforcing the need to secure and control the browser rather than Anthropic issuing an unsafe browser.” Software startups like to fail fast, he noted, however, they do feel the brunt of all of the failures. “If it is not Anthropic making a mistake, it will be someone else,” he said. “Anthropic does not get a pass, but organizations should expect startups to make such mistakes and put in measures to control and secure their browsers.”
Not an easy fix: LayerX’s Paz said that this problem will not be easy for Anthropic to fix because it is deeply ingrained in the architectural decisions. “It’s not a half-hour fix. It’s weeks worth of fix. It is going to force them to do a full redesign.”Rock Lambros, CEO of security firm RockCyber, added that he would not consider the Anthropic issue a zero day, but it’s still a problem. “This is the predictable result of letting an AI agent chain a harmless data source to a privileged code executor without a confirmation gate. Anthropic already built sandboxing for Claude Code, so the ‘that’s just how agents work’ defense fell apart when they shipped Desktop Extensions without it,” Lambros said. “Every enterprise deploying agents right now needs to answer ‘Did we restrict tool chaining privileges before activation, or did we hand the intern the master key and go to lunch?’”
Not an easy fix: LayerX’s Paz said that this problem will not be easy for Anthropic to fix because it is deeply ingrained in the architectural decisions. “It’s not a half-hour fix. It’s weeks worth of fix. It is going to force them to do a full redesign.”Rock Lambros, CEO of security firm RockCyber, added that he would not consider the Anthropic issue a zero day, but it’s still a problem. “This is the predictable result of letting an AI agent chain a harmless data source to a privileged code executor without a confirmation gate. Anthropic already built sandboxing for Claude Code, so the ‘that’s just how agents work’ defense fell apart when they shipped Desktop Extensions without it,” Lambros said. “Every enterprise deploying agents right now needs to answer ‘Did we restrict tool chaining privileges before activation, or did we hand the intern the master key and go to lunch?’”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4129820/anthropics-dxt-poses-critical-rce-vulnerability-by-running-with-full-system-privileges.html
