A new AI model from Anthropic is rewriting assumptions about what artificial intelligence can do, exposing vulnerabilities that have been hiding in plain sight for decades and forcing enterprise security teams to rethink their defenses from the ground up.
The model, called Mythos, was not built as a hacking tool. But the same reasoning power that makes it an exceptional coder also makes it good at finding and exploiting software flaws, and its limited release to a vetted group of technology companies under a program called Project Glasswing has set off debates about whether existing defenses can hold.
“This is a step change,” Dave McGinnis, Vice President of Global Managed Security Services at IBM, told IBM Think in an interview. “It’s not like they created the bugs. The people who wrote that code didn’t know those things were there.”
The concern is not simply that Mythos is a more powerful language model, though it is. Anthropic says the system has already identified thousands of zero-day vulnerabilities (previously unknown flaws) across every major operating system and web browser, some of which had survived decades of human review and millions of automated security tests. Among the findings: a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in the world, that would have allowed an attacker to remotely crash any machine running it, simply by connecting to that device.
What distinguishes Mythos from previous systems, according to McGinnis, is its capacity for what security professionals call “vulnerability chaining,” the ability to connect a series of individually minor software flaws into an attack that reaches a target. Anthropic noted that the model autonomously identified and chained together several vulnerabilities in the Linux kernel, allowing an attacker to escalate from ordinary user access to complete control of a machine.
A second capability is potentially more consequential. Mythos can analyze compiled binary code, the machine-readable instructions that software runs on, without needing access to the original source code. That means legacy systems running on equipment that has been in operation for decades, with source code that has long since been lost or forgotten, are no longer out of reach for an AI-assisted attacker.
“You’re talking [about] stuff sitting around—a Windows 3.11 machine in the corner, some ancient piece that everybody doesn’t want to look at because it’s still working,” McGinnis said. “I don’t have source code for it; I don’t know how to fix the vulnerability. And if I can fix it, I can exploit it.”
Click Here For The Original Source.
