Claude Mythos uncovers 271 Firefox flaws, Mozilla says security tide is turning
▼ Summary
– Mozilla used Anthropic’s Claude Mythos model to scan Firefox, finding and fixing 22 security bugs in Firefox 148 and identifying 271 vulnerabilities in Firefox 150.
– Firefox CTO Bobby Holley described the findings as causing “vertigo” and questioned whether defenders can keep up with such a high volume of critical bugs.
– Holley noted that while bringing exploits to zero is unrealistic, the goal is to make exploits so expensive that only actors with unlimited budgets can afford them.
– Claude Mythos Preview is as capable as the world’s best security researchers at detecting all types of vulnerabilities, including those previously found only through manual analysis.
– Anthropic is not releasing Mythos publicly due to misuse risks and instead offers it through Project Glasswing to select organizations, though unauthorized access attempts occurred immediately after the announcement.
The cybersecurity community has been buzzing since the Mozilla Foundation put Anthropic’s Claude Mythos AI model to the test against its own browser. The results were staggering, uncovering a volume of flaws that has even the most hardened security veterans feeling a sense of vertigo.
Before granting the AI access to its codebase, Mozilla conducted a baseline scan using Opus 4.6, which resulted in fixes for 22 security-sensitive bugs in Firefox 148. However, when Mythos was let loose on Firefox 150, it identified a jaw-dropping 271 vulnerabilities. For context, Firefox CTO Bobby Holley noted that a single bug of that caliber would have triggered a “red alert” just last year. “So many at once makes you stop to wonder whether it’s even possible to keep up,” he said.
Despite the initial shock, Holley believes the tide is turning. Teams that push through this disorienting phase and focus on the task will begin to see genuine progress. “Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up,” he wrote. “Defenders finally have a chance to win, decisively.”
Holley was quick to temper expectations, however, stating that bringing exploits to zero is an unrealistic goal. Instead, the objective is to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an asset discourages casual use.
Before Mythos, identifying complex vulnerabilities relied on manual code analysis by expert researchers, a process strictly limited by time and scarce human expertise. “Computers were completely incapable of doing this a few months ago, and now they excel at it,” Holley observed. Based on Mozilla’s findings, models like Mythos Preview have proven to be as capable as the world’s best security researchers, with no category or level of vulnerability identified by humans that the model could not also detect. “Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher,” he added. His final assessment is that “we are entering a world where we can finally find them all.”
Earlier this month, Anthropic introduced Claude Mythos Preview to the public, highlighting its particular skill at uncovering previously overlooked and difficult-to-detect bugs in operating systems, software, web applications, and cryptography libraries. The company does not plan to release the model publicly, warning that such a system could be misused to identify zero-day vulnerabilities and create exploits targeting both newly discovered flaws and existing issues that remain unpatched. Instead, it launched Project Glasswing, a selective program that gives major technology, cybersecurity, and financial organizations early access to the model.
It didn’t take long for reports of unauthorized access to surface. According to Bloomberg, a handful of users in a private online forum gained access to Mythos on the very same day that Anthropic announced its limited release plans.
(Source: Help Net Security)
