Anthropic's new Claude Mythos AI model has apparently found thousands of vulnerabilities in 'every major operating system and every major web browser, along with a range of other important pieces of software'
If there's one thing that AI is good at, particularly language models, it's detecting patterns in datasets so large that it would be practically impossible for humans to sift through them all, quickly and accurately. That certainly seems to be the case with Anthropic's new general-purpose model, Claude Mythos, as the company has announced that it used it to detect "thousands of high-severity vulnerabilities, including some in every major operating system and web browser."
Alongside the launch of Claude Mythos, Anthropic also announced Project Glasswing, an "initiative that brings together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world’s most critical software."
This is all down to Claude Mythos finding so many vulnerabilities, and perhaps more importantly, "99% of [those] found have not yet been patched".
If all of this seems very alarming, Anthropic's detailed blog post on the project reminds us that such vulnerabilities are only a potential weakness: someone has to figure out how to exploit them and then successfully use them in the wild.
Don't breathe a sigh of relief just yet, though. "We have seen Mythos Preview write exploits in hours that expert penetration testers said would have taken them weeks to develop," writes Anthropic.
Oh, that's not good at all. Anyway, one such example that Mythos created was an exploit for an old vulnerability in FFmpeg:
"The underlying bug dates back to the 2003 commit that introduced the H.264 codec. And then, in 2010, this bug was turned into a vulnerability when the code was refactored. Since then, this weakness has been missed by every fuzzer and human who has reviewed the code, and points to the qualitative difference that advanced language models provide.
In addition to this vulnerability, Mythos Preview identified several other important vulnerabilities in FFmpeg after several hundred runs over the repository, includ[ing] further bugs in the H.264, H.265, and AV1 codecs, along with many others."
It's worth noting that there's a distinct financial cost to all of this, because running all those mega AI servers isn't free, and code repositories need to be repeatedly scanned to find bugs. Anthropic discovered a vulnerability via a 27-year-old bug in OpenBSD:
"Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings. While the specific run that found the bug above cost under $50, that number only makes sense with full hindsight. Like any search process, we can't know in advance which run will succeed."
One good bit of news is that Anthropic actually sent patches out to FFmpeg, though it's not clear as to whether AI was used to generate the fixes themselves. Another bit of good news is actually the whole caboodle.
As worrying as it may seem that an AI model has discovered thousands of vulnerabilities in the software that we all use on a daily basis, with the issues now exposed, Claude Mythos has found exposable bugs that passed mere humans by. If the AI model can find new ones quicker than any human can, it's perhaps the turning point in staying one step ahead of hackers and cybercrime.
And this makes me wonder as to whether the future of software will see email servers using AI servers to detect spam, phishing mail, or other dodgy messages and delete them so that they never get sent out. Imagine the same thing running on phone networks, nixing spam SMS and robocalls.
Hmm, that sounds suspiciously like the beginning of a Skynet-type of AI that decides the real problem isn't vulnerabilities and exploits, but human beings. Yeah, maybe traditional spam filters aren't so bad after all.