With social engineering attacks getting more common and more sophisticated, not to mention the existence of malware targeted to a specific purpose, all it takes to cause a large scale outage is a careless employee putting an infected thumb drive into a work computer.
Ugh, I must have glossed over that while reading.
I wonder if, when we get into the OS 27 cycle, we see a LOT more vulnerabilities listed in the security notes. That could be taken as evidence of Project Glasswing allowing Apple to find more vulnerabilities. But, simultaneously, I could see there being no change at all because Apple wouldn’t have to report vulnerabilities that it caught internally.
According to my mate in the industry - that is one of the core problems. That is common belief held by management, but it doesn’t match the reality. Part of his job is getting management to “wake up” the actual risks they face, rather than hold on to the stance that was only true 20 years ago.
I won’t directly quote what he shared in private chat, but gist is the “air-gapped” systems are protected by armed guards, but the systems haven’t actually been air-gapped for a long time. It’s simply a false sense of security - to make people feel better. He has mimicked real systems in the lab, and demonstrated how vulnerable those systems are. His concern is management won’t react until they see the compromise against real systems - labs are not considered evidence. 
1 Like
In earlier comment, I referenced a developer who validated the bug and the fix. He did so by looking at git commit logs, not chasing press releases. The fix (patch) was clearly present two days after the vulnerability was identified. Of course that doesn’t mean all currently installed versions are patched; that patch will take time to propagate out.
The patch was present two days afterward, or the patch was committed two days afterward?
If the former, then it might have been fixed before the report, maybe quite a while before. If the latter, then the report probably drove the fix.
1 Like
“Five million!”
“Thousands!”
“99%… unpatched!”
These numbers are all coming straight from Anthropic.
How about this number: one. The number of CVEs directly attributable to Glasswing.
Am I shocked and horrified that some ancient NFS code (is anyone really using NFS anymore?) had a bug? No, it almost certainly has many more.
And what was the true cost of uncovering that bug? That’s something else we’ll only know if Antropic and other large model makers start disclosing the real costs of creating and operating their systems
4 Likes
That’s what the commit log is; when code is committed. I guess the patch could have been written weeks or even years earlier and never committed, but I doubt it.
Yes, NFS is still critical for many orgs. And the fact that it (part of the kernel) could have many more bugs is the point. Those bugs (whether specific to NFS or other parts of the OS) can now be found more quickly and reliably.
The part which I don’t believe is getting enough attention is that Opus (available to everyone) is also quite capable of finding bugs. Maybe not as capable as Mythos, but certainly capable enough to be a concern. Is Mythos “that much better” than Opus to shift the balance back in favour of defenders - maybe. But that’s assuming that all systems and companies that could be attacked are bothering employ stronger defences.
At the beginning of this thread, I mentioned Future Together where we discuss these issues along many others related to our future and how technology is shaping the changes. Join that community if you want to be part of the discussion.
1 Like
The CSA folks are highly credible and do very good work. The linked piece is directed at heads of IT security, and it rings true.
1 Like
Interesting. Well, your friend may have more recent information than I do. When I worked for a major southern California electric power provider, the systems definitely were air gapped, but that was over 20 years ago. I was in IT, and there was literally no way to access a generating station’s network without physically going inside the plant. No connection from the private intranet, not even a “secret back door” for us IT folk. It seems odd that energy companies would have enlarged the attack surface in the ensuing years rather than shrinking it, given the risk is even greater now than it was then, but I do not have current knowledge.
fyi:
2 Likes
And I don’t have first-hand knowledge. Like all industries, I suspect the security stance at various companies is different. I’m sure there are some which are still very secure (air-gapped?) 20 years later. But from what I heard, too many of them are not.
Firefox 150 contains fixes for 271 vulnerabilities found with Mythos:
2 Likes
That’s an interesting data point from the perspective of the “open source is better because it has a lot of eyes reviewing it” argument.
Granted, Firefox is much more complex than most commonly used open source programs, but it also has a professional core development team, and its code presumably gets more scrutiny than most open source tools.
A little peek at Mozilla’s process and use of Mythos in detecting Firefox security issues and how they “harnessed” the AI tool to work for them.
Cool. I wonder how many of these bugs were fixed by the recent 150.0.2 (May 7) and 150.0.1 (April 28) releases.
Those releases only mention 7 security fixes and none of them give attribution to Mythos. So maybe it’s too early to start seeing the fixes here.
1 Like
I thought I saw somewhere that 150 might have been the majority of fixes based on the Mythos-guided coding but cannot find a reference to that. However, it makes sense that Mozilla would not be too public about high and critical vulnerabilities for a while so the user base can get caught up. I also saw that Mozilla policy is to not publicize certain internal-found issues for security, at least not for a while (hence the criticisms about Mozilla not getting CVE codes for many of the Mythos-found issues).
It was version 150. See The zero-days are numbered
Plus also the existing topic (edited to remove self-reference after this post was moved to this thread.)
1 Like
Thanks. I didn’t realize that version 150 came after these bugs were found.
According to 150’s security updates, there are 43 fixes. Three are attributed to someone using Anthropic’s Claude. Five are attributed to “the Mozilla Fuzzing Team”. The reset are attributed to individuals.
According to the Mozilla Hacks article, the three CVEs attributed to Claude are “rollup” CVEs, which altogether comprise 316 bugs - the 271 from Claude, plus many discovered by the Mozilla security team.
1 Like
And now Mythos has been used to find a bug in Apple’s kernel.
1 Like