Mozilla Leveraged Anthropic’s Mythos to Identify and Resolve 271 Bugs in Firefox

Amid an ongoing discussion about the effects of new AI models on cybersecurity, Mozilla announced on Tuesday that its Firefox 150 browser update this week includes safeguards for 271 identified vulnerabilities, utilizing early access to Anthropic’s Mythos Preview. According to the Firefox team, it requires both resources and discipline to adapt to the deluge of bugs that these new AI tools can expose, but this significant effort is crucial for ensuring the security of Mozilla’s users, especially since these capabilities will soon be in the hands of attackers.

Recently, both Anthropic and OpenAI have unveiled new AI models with claimed advanced cybersecurity functions that could significantly change how both defenders—and importantly, attackers—detect vulnerabilities and misconfigurations in software systems. To date, these companies have limited their new model releases to private sessions and have organized industry working groups to evaluate advancements and strategize accordingly. However, cybersecurity professionals vary in their opinions regarding the potential impact of these new capabilities.

Mozilla’s experience, at least in the short term, indicates that AI tools like Mythos Preview could dramatically influence vulnerability detection.

“We believe that these tools have fundamentally transformed the landscape, as they now enable automated techniques that can seemingly cover the entire range of vulnerability-inducing bugs,” states Bobby Holley, Firefox’s chief technology officer. For years, he notes, Firefox and other organizations have utilized a mix of automated vulnerability hunting methods, such as software fuzzing, along with manual efforts from both internal and external researchers to identify and address flaws. Attackers have similarly had access to these tools and strategies.

“There were certain categories of bugs that could be uncovered through human analysis but remained elusive to automated methods, making it feasible for threat actors willing to spend substantial sums to locate a bug—we aimed to drive that cost as high as possible,” Holley explains.

Holley now suggests that upcoming AI capabilities will mandate a comprehensive evaluation process for all software to identify and rectify latent vulnerabilities present in their code. Companies like Anthropic and OpenAI appear to encourage major players to undergo this transformation before the capabilities become more broadly accessible.

“Every piece of software will need to make this transition, as each one conceals numerous bugs that are now discoverable,” Holley asserts. “This represents a critical moment that is challenging and necessitates a coordinated focus and considerable perseverance to navigate, but I believe it is a finite moment, even as the models evolve. Possibly, more advanced models will uncover a few additional issues, but I feel that, at least from Firefox’s perspective, we’ve begun to turn the corner.”

Holley mentions that the Firefox team accessed Mythos Preview through direct collaboration with Anthropic, and that Mozilla is not officially part of its broader consortium known as Project Glasswing.

Being open source, Firefox is a type of software that may be particularly affected by new AI-driven bug detection capabilities, especially since many open source projects are extensively utilized and relied upon globally, yet are frequently maintained by just a small group of volunteers or even a single individual. The implications could be particularly significant for “abandonware” that receives no maintenance at all.