For years, the infosec community’s biggest existential worry has been quantum computers blowing away all classical encryption and revealing the world’s secrets. Now they have a new Big Bad: an AI model that can generate zero-day vulnerabilities.
Anthropic made the model and named it Mythos. Thankfully, the AI company decided not to release it, because it would break the internet – and not in a good way.
"AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities," the company said.
Mythos is markedly different from Claude Opus 4.6, which Anthropic only recently said was not very skilled at developing working exploit code. Where Opus 4.6 managed an exploit development success rate of just over zero percent, Mythos Preview generated a working exploit 72.4 percent of the time.
What Anthropic is describing is literally a zero-day engine: "Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit."
Fortunately, instead of releasing Mythos, Anthropic chose to provide a preview version to a set of industry partners so they can use it to find flaws in their systems before adversaries do.
The AI biz calls its limited release initiative Project Glasswing. Participants include: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
And while this tech industry anti-rogues’ gallery scans their own systems with the purportedly perspicacious Mythos, Anthropic invited around 40 other organizations to participate in this introspective bug hunt, subsidized by up to $100M in usage credits for Mythos Preview and $4M in direct donations to open-source security organizations.
If that sounds a bit like an arsonist handing out fire extinguishers, well, that's on you for being so cynical.
Word of Mythos leaked last month when a draft blog post from Anthropic surfaced. The details published on Tuesday paint a stark picture for the security community: "During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so."
The 22 Anthropic researchers listed as authors of its Tuesday post insist that the vulns are often subtle and difficult to detect. Some are decades old, like the now-patched 27-year-old bug in OpenBSD.
According to Anthropic, Mythos identified "thousands of additional high- and critical-severity vulnerabilities." The company is in the process of disclosing them responsibly.
Uh, thanks? ®
Source: The register