Anthropic's New "Mythos" Model Discovers Thousands of Software Vulnerabilities
Some of them are 15+ years old.
Yesterday, Anthropic, the company behind Claude AI, revealed Claude Mythos Preview, a new general-purpose language model. They claim it performs strongly across the board, but it is also concerningly good at identifying computer security vulnerabilities and exploiting them.
During their testing, they found that Mythos Preview was capable of identifying and exploiting zero-day (undiscovered) vulnerabilities in every major operating system and web browser when directed by a user to do so.
For context, their current "flagship" public model, Opus 4.6, turned the vulnerabilities it found in Mozilla’s Firefox into exploits only two times out of several hundred attempts. They re-ran this experiment with Mythos Preview, and it developed working exploits 181 times.
It found a now-fixed 27-year-old bug in OpenBSD, an operating system known primarily for its security. It even found and chained together several vulnerabilities in the Linux kernel (which is the operating system that runs most of the world’s servers), to gain super-user administrative rights.
Importantly, these exploits have all been patched already, but 99% of the thousands of zero-day vulnerabilities found have not yet been patched, so they have not been publicly shared.
These developments show just how far Large Language Models like Claude or ChatGPT have come since their introduction. In response to all of this, Anthropic announced Project Glasswing. This is an industry wide effort by Anthropic, Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to secure the world's most important software.
Sources: