Mozilla fixes 271 Firefox vulnerabilities found by Anthropic’s AI

Mozilla announced that Anthropic’s Claude Mythos AI identified 271 vulnerabilities in Firefox during internal testing, with all bugs patched in the same week. This result underscores the ability of advanced AI systems to analyze extensive codebases and identify weaknesses that had previously required significant manual scrutiny. The findings could signify a transformative moment in cybersecurity, where defenders gain an upper hand over attackers.

The identification of these vulnerabilities highlights the growing role AI plays in security analysis. “As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus,” Mozilla stated. The organization had earlier tested another Anthropic model that found 22 security-sensitive bugs in a prior Firefox version.

Despite these advancements, Mozilla acknowledged that the cybersecurity industry recognizes the inherent challenges in completely eliminating software exploits. “Until now, the industry has largely fought security to a draw,” the company wrote, emphasizing their commitment to user safety. Mozilla noted that the new AI system effectively located vulnerabilities previously detectable only by expert human researchers.

Moreover, the company expressed skepticism over predictions that future AI models might uncover new types of vulnerabilities that exceed current understanding. “Software like Firefox is designed in a modular way for humans to be able to reason about its correctness,” Mozilla said. However, the latest AI tools could permit developers to detect numerous vulnerabilities ahead of potential exploitation.

Launched in March, Anthropic’s Mythos is designed for coding and cybersecurity tasks, indicating a significant advancement beyond previous models. Internal materials reportedly revealed that the system could identify thousands of previously unknown vulnerabilities across major operating systems and web browsers.

Access to Mythos is restricted through Project Glasswing, allowing selected technology companies—including Amazon, Apple, and Microsoft—to leverage the model for scanning software for weaknesses. This initiative reflects an industry shift towards employing AI in preemptive vulnerability patching.

However, security experts also warn that such technology may enable novel cyberattacks. The U.K.’s AI Security Institute found Mythos capable of autonomously executing complex cyber operations, including simulating multi-stage network attacks without human intervention. The model has drawn interest from government and intelligence agencies, including the National Security Agency (NSA), which reportedly runs Claude Mythos Preview on classified networks.

Recent developments indicate that existing AI evaluation benchmarks may not suffice for assessing the capabilities of these new models. Mozilla posited that these advancements could allow defenders to challenge the longstanding advantages held by attackers. “We’ve turned the corner and can glimpse a future much better than just keeping up,” Mozilla said, suggesting a decisive shift in cybersecurity dynamics.

Featured image credit