Among the madness debates about the impact that up-to-date artificial intelligence models will have on cybersecurity, Mozilla said on Tuesday that its Firefox 150 browser will be released this week includes security for 271 vulnerabilities identified during early access to Anthropic’s Mythos Preview. The Firefox team says it has taken resources and discipline to adapt to the immense number of bugs that up-to-date AI tools can detect, but this significant improvement is necessary for the safety of Mozilla users, given that these capabilities will inevitably soon end up in the hands of attackers.
Both Anthropic and OpenAI have announced up-to-date AI models in recent weeks that the companies say have advanced cybersecurity capabilities that could represent a turning point in how defenders – and, most importantly, attackers – find vulnerabilities and misconfigurations in software systems. With this in mind, the companies have so far made only constrained private releases of their up-to-date models, and both have also established industry working groups to assess progress and develop strategies. However, in practice, cybersecurity experts have different views on the consequences that up-to-date capabilities will have.
Mozilla’s experience, at least in the brief term, shows that AI tools like Mythos Preview can have a huge impact on vulnerability hunters.
“We believe these tools have made a dramatic difference because we now have automated techniques that, as far as we can tell, cover the entire vulnerability space,” says Bobby Holley, Firefox’s chief technology officer. For years, he says, Firefox and other organizations have relied on a combination of automatic vulnerability scanning techniques, such as software fuzzing, and manual vulnerability scanning by internal and external researchers to find and fix vulnerabilities. The attackers had the same tools and methods at their disposal.
“There were categories of bugs that could be found with human analysis that couldn’t be found with automated analysis, so it was always possible if you were a threat actor and were willing to spend many millions of dollars to find a bug. We tried to keep the price tag on that as high as possible,” Holley says.
Holley now argues that emerging AI capabilities will create a sort of boot camp that all software will have to go through to find and fix a set of hidden vulnerabilities in its code. Companies like Anthropic and OpenAI seem to be trying to get as many major players as possible to undergo this upgrade before the capabilities become more widely available.
“Every software is going to have to go through this change because there are a lot of bugs hidden under the surface of every software that can now be detected,” says Firefox’s Holley. “It’s a transitional moment that’s difficult and requires concerted focus and a lot of effort to get through it, but I think it’s a finite moment, even as the models get more advanced. Maybe the more advanced models will find a few things here or there, but I think at least on the Firefox side that had a little bit of an advantage here, we’ve beaten the curve.”
Holley says the Firefox team gained access to Mythos Preview through direct collaboration with Anthropic and that Mozilla is not formally part of his larger consortium called Project Glasswing.
Firefox is open source software that could be particularly impacted by up-to-date AI bug-finding capabilities, given that many open source projects are widely used and relied upon around the world, yet are often operated by a very compact group of volunteers or just one person. The effects can be particularly significant in the case of “abandoned software” that is no longer maintained at all.