As many Firefox vulnerabilities closed in April as in the previous two years

Mozilla closed exactly 423 security vulnerabilities in April, thanks primarily to Anthropic's new AI model Claude Mythos Preview, as many as were previously accumulated in about two years just a few months ago. This is according to a statement from three officials from the security team responsible for the browser. Mozilla had already given a preview of the enormous increase two weeks ago with the release of Firefox version 150, and further bugs were fixed in smaller updates before and after. The current version is 150.0.2. To illustrate the scope, the team has now also presented several of the closed vulnerabilities, some of which were reportedly more than 15 years old.

From “Nonsense” to Indispensable Help in a Few Weeks

The security team now recalls that AI technology has been used for some time to search for security vulnerabilities. However, this was previously more of a problem; many open-source projects have suffered from generated error messages that were nothing more than “nonsense.” How much this dynamic has reversed at Mozilla in recent months “difficult to overstate.” The three attribute this to the increased performance of AI models and, on the other hand, to significantly improved technology for their use. Mozilla has built a search system where the underlying AI models can simply be swapped out. When Anthropic provided access to Claude Mythos Preview, they were able to get started immediately, and the results are now visible.

The three further explain that they started with simple requests when using AI, but the process has become much more complex over time. However, its core has remained unchanged: an AI is told that there is a bug in a part of the source code, that it must be found, and that a test case must be developed for it. Meanwhile, they are concentrating on specific parts of the large codebase and assume that there are still hidden vulnerabilities. In the future, the process is to be integrated into the delivery of patches. Weeks ago, Mozilla was already optimistic that the technology would help in the eternal battle against IT attacks to gain the upper hand: “The current situation is dangerous, but it also offers numerous opportunities,” they now state.

Anthropic introduced Mythos a month ago and stated that the model was so dangerous that it would only be made available to companies working on IT security. The AI model had already identified thousands of high-risk zero-day vulnerabilities, it was said at the time. At the same time, the AI technology is significantly more capable of developing a working exploit for such vulnerabilities, sometimes even using several in conjunction. Therefore, only companies that could use the tool to improve IT security were granted access. Mozilla now confirms that some vulnerabilities found involve breaking out of the sandbox; a successful attack would require an additional vulnerability. Such bugs have been particularly difficult to find so far.

With the release of Firefox version 150, Mozilla is convinced that with the help of AI, all security vulnerabilities in a software can be found and thus completely secured. This contradicts fears that Anthropic's AI could usher in an era where criminals or state-sponsored attackers would have such a powerful tool that defense would become futile. However, Mozilla's opposite vision can only become reality if every piece of software is indeed checked with AI assistance and then quickly secured. Whether this can and will happen at all is questionable, at least. That it is at least being attempted is shown not only by Mozilla's approach, but also by the fact that particularly many security vulnerabilities have recently been closed in the Chrome browser.

(mho)