“The software bug was capable of crashing an operating system used by firewalls, servers and network appliances. It went undetected for over 27 years.
Last month, it was caught by Mythos, the latest AI model from Anthropic that has spooked the White House, banking executives and cybersecurity professionals around the world.
Welcome to the bug armageddon. AI models like Mythos and others are finding bugs in older software at a rate never seen before.
While most of the coding issues may be minor, their sheer volume has amplified the risk that smaller software developers will become overwhelmed with reports of bugs such as the one Mythos found.
Thanks to AI, hackers will be able to leverage those bugs more quickly than ever before.
The 1998 bug in the OpenBSD operating system was one of thousands Mythos found last month.
Anthropic said last week that it is working with about 50 technology companies and organizations to find and fix bugs and currently has no plans to release Mythos to the general public.
"We need to know that we can release it safely, and it's not exactly clear how we can do that with full confidence," said Logan Graham, the head of Anthropic's Frontier Red Team, which evaluates AI for risks.
Anthropic's rival, OpenAI, is developing a similar campaign, offering a security-focused version of its product to developers so they can patch systems before these bugs are discovered by criminals, according to a person familiar with the company's plans.
Google also has an early-access initiative for developers in the works, the company said.
Mythos has set off a scramble among technology employees inside major companies, as many have tried to understand how the new model could upend cybersecurity and expose a range of new threats to their products.
Numeric, an AI accounting automation platform based in San Francisco, recently kicked off a discussion of its risks in a cybersecurity Slack channel.
Some of the greatest risks to companies, Numeric co-founder Anthony Alvernaz said, will likely come from dependencies on so-called "open-source" tools built collaboratively, often by volunteers who may not have the resources to quickly triage bug reports.
That infrastructure underpins much of the modern internet, he said.
"The code a company writes is almost like the top layer of a cake, and underneath are all of these layers" of open-source software, he said.
When he heard about Mythos finding an old OpenBSD bug last week, security researcher Niels Provos wondered if he had been the one who had made the mistake when he wrote some code for OpenBSD 27 years ago while obtaining his doctorate from the University of Michigan. A quick check confirmed his suspicions.
"To be honest, I just thought it was hilarious. Because it's code that is so old," said Provos, formerly head of security with the payments company Stripe. "Who knows the last time a human even looked at it."
For humans to find and exploit a bug like this would typically require countless hours of research. Most hackers wouldn't have even looked at Provos's old code, assuming that it had been picked over for bugs, Provos said.
"Previously there were only a handful of people that could do this," he said. "Now, with these tools, the skill that you need to develop really sophisticated exploits has gone way down."
Mythos found the bug -- along with several dozen other issues -- while burning about $20,000 of computing power over a two-day period, Anthropic said.
Over the past few weeks, Mythos also has proved to be better at writing code that can exploit those vulnerabilities, Anthropic said.
Today, most cyberattacks don't involve previously undiscovered vulnerabilities, known as zero days.
Hackers more often break into companies using previously discovered bugs, or by stealing login credentials or using social-engineering techniques. Also, most corporations have other strategies in place to mitigate cyberattacks even if an individual computer is hacked.
Earlier this year, Anthropic's software discovered more than 100 bugs in the Firefox browser, and it was even able to write code that could exploit one of these bugs in a test version of the browser. In the real world, Firefox had other security mitigations that would have stopped the attack, which would have made more work for real-world hackers.
The cybersecurity capabilities of the latest AI models have won over skeptics over the past few months. They have started to worry that patching a massive and growing number of bugs will lead to an unprecedented logistical challenge -- the AI equivalent of Y2K, a worldwide effort to patch programs around the world that couldn't comprehend a year after 1999. The Y2K warnings were dire, but the technological fixes largely worked.
Many cybersecurity professionals believe the AI bug armageddon could play out along similar lines, but successfully patching thousands of vulnerabilities in all kinds of software will take a monumental effort, they say.
Top White House officials including National Cyber Director Sean Cairncross are racing to address the threat Mythos and other models pose, working to identify weaknesses in government and coordinate the private sector response.
Investors worry that these changes could upend the software industry, and shares of cybersecurity companies dropped last week.
Most companies are getting better at patching critical bugs, but AI is driving up the sheer volume of reported bugs and patching everything is taking longer, according to HackerOne, which helps companies triage bug reports. Bug submissions are up 76% from last year and the average time to fix a bug has jumped from 160 days to 230 days during the same period, according to the company.
Companies also worry that previously ignored technology products might now become targets, and that, unlike the tech giants, the companies or software developers who build these more obscure products might not have the resources to manage the patching onslaught.
"It will get a lot easier to attack random pieces of infrastructure that no one was attacking before," said Thomas Ptacek, a security researcher who is a principal at the cloud computing company Fly.io.” [1]
1. AI Discovery of Coding Bugs Risks Overwhelming Developers.McMillan, Robert; Cutter, Chip. Wall Street Journal, Eastern edition; New York, N.Y.. 14 Apr 2026: B1.
Komentarų nėra:
Rašyti komentarą