Mozilla Uses Anthropic's Mythos To Fix 271 Bugs In Firefox (nerds.xyz)
- Reference: 0181837630
- News link: https://news.slashdot.org/story/26/04/21/2028206/mozilla-uses-anthropics-mythos-to-fix-271-bugs-in-firefox
- Source link: https://nerds.xyz/2026/04/firefox-ai-bug-hunting/
> Mozilla [2]says it used an early version of Anthropic's Claude Mythos Preview to comb through Firefox's code, and the results were hard to ignore. In Firefox 150, the team [3]fixed 271 vulnerabilities identified during this effort , a number that would have been unthinkable not long ago. Instead of relying only on fuzzing tools or human review, the AI was able to reason through code and surface issues that typically require highly specialized expertise.
>
> The bigger implication is less about one release and more about where this is heading. Security has long favored attackers, since they only need to find a single flaw while defenders have to protect everything. If AI can [4]scale vulnerability discovery for defenders , that dynamic could start to shift. It does not mean zero days disappear overnight, but it suggests a future where bugs are found and fixed faster than attackers can weaponize them.
"Computers were completely incapable of doing this a few months ago, and now they excel at it," says Mozilla in a blog post. "We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't."
The company concluded: "The defects are finite, and we are entering a world where we can finally find them all."
[1] https://slashdot.org/~BrianFagioli
[2] https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
[3] https://nerds.xyz/2026/04/firefox-ai-bug-hunting/
[4] https://it.slashdot.org/story/26/04/07/2115208/anthropic-unveils-claude-mythos-powerful-ai-with-major-cyber-implications
Identify != Fix (Score:2)
The headline and the summary don't seem to quite agree here. The AI analyzing code to identify vulnerabilities is not the same as fixing i.e. writing new code to patch those vulnerabilities.
Re:Identify != Fix (Score:5, Insightful)
The headline and the summary don't seem to quite agree here
why not!?
The main pain of security issues is finding them!!
After claude found the issues, humans could check and fix them, that for many issues isn't that hard. Again the hard part is pinpoint that some check fails to catch a corner case or a buffer may have the wrong size
Re: (Score:2)
I found my front door lock was not working.
I called a locksmith to come repair it.
Now it is working.
I didn't fix the front door. The locksmith did.
Re: Identify != Fix (Score:2)
It was the locksmiths door in this case.
Re: (Score:1)
Mod parent up, not down!
Re: (Score:3)
I wouldn't say they disagree, so much as the headline is poorly written to be ambiguous.
Saying, "I used a floodlight to fix my car" isn't inherently inaccurate. It's just ambiguous.
Identify would have been a much better word than fix, which includes identification in the process.
Re: (Score:2)
Indeed. And here is the thing: There is growing evidence that LLMs trying to fix vulnerabilities does tend to break functionality and to introduce new vulnerabilities. Maybe the reason the are always only boasting about "finding" them.
Re: Identify != Fix (Score:2)
If slashdot humans tried to fix the many bugs here (notifications button does not work, non-ascii characters are mangled, etc.), do you think they would break more than if AI did it for them?
Re: Identify != Fix (Score:1)
Dude when are you going to fucking quit this shit? You have been shown to be an ignorant arrogant twat on this subject so often that even I, who loves to hate you, am even growing bored by it
Re: Identify != Fix (Score:2)
I mean, given how good clod clod is at writing code, it wouldnâ(TM)t surprise me if it also helped fix them.
Here come the mass-firings (Score:2)
n/t
It's a 2-way street (Score:1)
"The company concluded: "The defects are finite, and we are entering a world where we can finally find them all.""
And of course, so can the bad guys. And after you find them you have to fix them, and of course the bad guys just need to find them, so once again, advantage goes to the bad guys.
Re: (Score:2)
And after you find them you have to fix them
No they don't. They're sitting on some bugs that are approaching 26+ years old. And yet they don't fix them.
Re: (Score:2)
> And after you find them you have to fix them No they don't. They're sitting on some bugs that are approaching 26+ years old. And yet they don't fix them.
There's a difference between "a bug that is a security vulnerability" and "a bug that isn't a security vulnerability", so unless the 26+ year old belongs to the former, you don't have a point.
Re: (Score:2)
Indeed. On top of that, the claim that all can be found with this tech is a direct lie.
Re:It's a 2-way street (Score:4, Insightful)
Finite means there's only so many bugs in the code, once you fix them all, there are no more bugs to exploit.
And if you have this scanning capability, you can test the code before it's exposed to the general public as a release, minimizing future potential mishaps.
What does this mean for old software? (Score:3)
What does this mean for older software that's no longer being patched?
The next few patch Tuesdays could be interesting.
Re: (Score:3)
Same as it ever did, if a bug there's someone could find it and exploit it. There's already AI scanning tools besides all the traditional ones. Just they are getting better and reducing the effort needed to find it.
However browsers are in an entirely different class of problem because they connect willy-nilly to possibly bad servers, do all sorts of complex things, are used to connect to very sensitive data, can be scanned by any new tools as are they are mostly open source, and are expected to run untrust
Re: (Score:2)
I suspect AI has made the last few patch Tuesdays very, say, "fragile."
We need humility, not arrogance (Score:4, Insightful)
> "The defects are finite, and we are entering a world where we can finally find them all."
We may be entering a world where we can find 99.44% of bugs and we may find the "easy to find ones" a lot faster than we would find them today, but it's very arrogant to declare "we are entering a world where we can finally find them all " given how many unknowns are still out there.
Yes, the progress is good, but we need some humility and we need to be realistic with our expectations.
Re: (Score:2)
Finding them all is impossible with LLMs. Provably so. Anybody that claims differently is a liar. The only tool that is able to find all bugs in a piece of software is formal verification. And that is slow and time-consuming, as it does not simply look at known patterns, but needs actual insight. And hence all machines can do there eis verify, but not find the correctness proofs. Or the formal specification. Because, you know, it actually happens to be impossible to find all bugs without a formal specificat
Re: (Score:1)
> Finding them all is impossible with LLMs.
Incorrect.
> Provably so.
Laughably incorrect.
> Anybody that claims differently is a liar.
Or they're better educated than you.
> The only tool that is able to find all bugs in a piece of software is formal verification.
Formal verification mathematically proves code implements a specification. It does not catch bugs that are specified.
There are entire classes of bugs (logic bugs) that LLMs can find that formal verification literally doesn't even try to.
> And that is slow and time-consuming, as it does not simply look at known patterns, but needs actual insight.
Insight? lol- if you're using insight, you are not formally verifying.
What a pile of shit post.
Re: (Score:3)
Isn't claiming that a magical computer program can find all bugs in another program effectively a variation on the halting problem?
Re: (Score:2)
Yes.
However, let's say a program has 1 bug. That's it. How? magic. Doesn't matter. It has 1.
Say an LLM finds it. Does the universe now collapse?
The claim that an LLM can't find "all the bugs in a program" is equally wrong.
"All the bugs in a program" is an unknown- whether or not an LLM, or a human, can find all of the unknowns in a program is an unknown. Because as you said- it's the halting problem.
Re: (Score:2)
It's worse than the halting problem, because different cpus will have different errors and error handling.
Re: (Score:2)
> Formal verification mathematically proves code implements a specification. It does not catch bugs that are specified.
> There are entire classes of bugs (logic bugs) that LLMs can find that formal verification literally doesn't even try to.
So you prompt the LLM to "find all the bugs".
Even if the LLM can find every last bug (which in turn assumes that this type of problem isn't NP-hard or has some issue that Godel would point out), just defining to the LLM exactly what a "bug" is seems to be pretty much the same thing as those formal specifications that you just convincingly dismissed as inadequate.
I don't think that there's anything magical about LLMs that would let them get around fundamental mathematical roadblocks.
Re: (Score:2)
You misunderstand.
An LLM as equally as adequate, and inadequate as formal verification.
Though frankly, an LLM has the potential to be less inequate, as it can solve specified bugs that formal verification not.
I did not say that "An LLM can find all bugs".
I said that the statement, "Finding them all with LLMs is impossible." is incorrect.
The difference is important in this case, logically speaking. Which is humorous, since capacity for logic is the magic Gweihir thinks that humans have that LLMs canno
Re: (Score:2)
*inadequate
Re: (Score:2)
> Finding them all is impossible with LLMs. Provably so. Anybody that claims differently is a liar. The only tool that is able to find all bugs in a piece of software is formal verification.
Correction: the only way to prove you have found all bugs is with formal verification. It's completely possible for other tools to find all of them. You just won't know for sure whether it found them all.
Speaking specifically about security bugs, a bug finder doesn't even need to be perfect. It just needs to be at least as good as the attackers. If it misses a bug, but the bug is so deeply buried that the attackers can't find it either, you're still safe.
Even if they do find it, it still may not matter.
Re: (Score:2)
Also correction: Formal verification doesn't prove that you have found all bugs, it proves that your program implements the specification, including flaws within it, and things you failed to specify.
Re: (Score:2)
It also won't catch vulnerabilities that exploit differences between the real physical computer and the verifier's idealized description (e.g. spectre, rowhammer). And it won't catch side channel attacks, like inferring information based on how long a computation takes to complete.
They're all tools. They catch the problems they catch and miss the ones they miss.
So? (Score:1)
This is getting infantile. And, as I have said before, what really matters is what this thing does NOT find.
Re: (Score:1)
A DoS bug lol. Who cares?
Re: (Score:3)
A system that finds hundreds of bugs, which were not found by humans or found by standard fuzzing, and that's "infantile" how exactly? You can if you want disagree with their claim that this will result in somehow finding all the bugs. (That's probably unlikely for a whole host of reasons.) But even you should be able to recognize the significant nature of the system being able to find this many bugs.
You can make this part of the release cycle (Score:2)
Before release, you add a phase of vulnerability discovery, to find as much as you can with the latest and greatest models and fix those before release.
It makes sense to defuse the threat before it becomes an issue, otherwise your attackers will do it for you and won't tell you what they find.
it probably makes it easier for the attacker (Score:2)
If there's a finite number of bugs and AI can find all of them, sure this can let the defenders win, just find and fix every bug. But the usual model is there's too many bugs to find and fix them all. The defender has to find and fix all the bugs the attacker is able to afford to find. That's the attacker's cost time the number of bugs at the price the attacker's willing to pay or less. Even if there's some economies of scale of finding and fixing bugs, the defender has to pay at least as much as the attack
Good (Score:2)
I like Firefox. I'll be curious what breaks because of the bug fixes.
How many? (Score:3)
How many of these bugs are around VPN promotions?
I still prefer Firefox, but it'd be nice if it was more like Phoenix and less like a Windows upgrade notice.
Re: (Score:2)
Are these changes pushed to Firefox nightlies? Does that mean that, as of this very second, Firefox is 1000x more secure than Chrome??? :-O