Anthropic has provided an advisory on Project Glasswing, the AI initiative the vendor launched last month that aims to protect critical software from attack by malicious AI models.
The vendor introduced Glasswing a few weeks after it emerged that the company had developed Claude Mythos, a powerful new model so adept at finding security vulnerabilities in code that Anthropic decided not to release it, for fear of misuse in the wrong hands.
Instead, Anthropic opted to share it with about 50 key partners, including some of tech’s biggest names, including AWS, Apple, Google, Microsoft, CrowdStrike, Nvidia, Broadcom, Cisco and Palo Alto Networks.
Anthropic’s early findings on Mythos yielded key takeaways. Arguably, the most eye-catching are figures that illustrate its success rate — but also highlight the alarming number of weaknesses prevalent in software that the company said in its May 22 update is “fundamental to the functioning of the internet and other essential infrastructure.”
Among the developments from partners and external testers were Cloudflare finding 2,000 bugs (400 of which were critical); Mozilla unearthing 271 vulnerabilities in Firefox, more than 10 times the number in a previous model; and the latest Palo Alto Networks release requiring five times as many patches as usual.
Anthropic also revealed that it had used the Mythos preview version to scan more than 1,000 open source projects over the past few months, and again, the numbers provided cause for concern.
Among 23,019 vulnerabilities, 6,202 were estimated to be of high or critical severity, with the most concerning being a flaw in wolfSSL, a cryptography library, which would have allowed attackers to forge certificates and host a fake website for a bank or email provider.
While this has now been patched, it’s in the minority: only 75 of the 530 high- or critical-severity bugs reported to maintainers to date have been resolved, prompting Anthropic to highlight another takeaway: the industry has to work much more quickly to find ways to fix the problems.
Anthropic’s update stated: “The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity. Models with cybersecurity skills similar to those of Mythos Preview will soon be more widely available. There is a clear need for a larger effort across the software industry to manage the volume of findings that these models will generate.”
Failure to swiftly produce patches will “open a significant window for attackers,” Anthropic said.
Another major finding is that Mythos is still not ready for public release. However, Anthropic said the Glasswing initiative, which is restricted to select partners, could be expanded.
