AI Finds 27-Year-Old Flaws, Shakes Cybersecurity Market

AI Model Uncovers Decades-Old Security Weaknesses

An advanced artificial intelligence model, named Claude Mythos, has discovered critical security flaws across major operating systems and web browsers. Astonishingly, one vulnerability had remained hidden for 27 years within a highly secure system. Traditional automated tools, which scanned the affected code millions of times, failed to detect these issues.

The company behind Claude Mythos, Anthropic, deemed the findings too dangerous for public release. Instead, they shared the discoveries with 12 major corporations, many of which are publicly traded and accessible to investors. This development marks a significant leap in AI capabilities, with experts noting its unprecedented ability to identify complex software errors.

Deep Dive into FFmpeg Vulnerability

One critical flaw was found in FFmpeg, a widely used software component essential for processing video content online. The bug occurred under a very specific condition: when a video frame was divided into exactly 65,536 parts. This precise number, equivalent to 2 to the 16th power, caused two different internal counters within the software to collide.

When these counters collided, the software could write data beyond its designated memory space. This opens a serious security risk, potentially allowing attackers to gain control of any device running the software, whether it’s a personal computer, smartphone, or large-scale enterprise servers used by companies like Netflix and Apple. The bug was initially introduced in 2010, meaning it went undetected for 16 years despite extensive automated testing.

AI’s Advantage Over Traditional Testing

Traditional security testing methods often involve bombarding software with random inputs to see if it crashes. However, the FFmpeg bug was only triggered by a very specific input, making it nearly impossible for random testers to find. In contrast, Claude Mythos read the code, understood its logic, and generated a custom test to pinpoint the flaw on its very first attempt.

Claude Mythos is not a specialized cybersecurity tool. It is a general-purpose language model that was originally designed to assist programmers. Its advanced ability to understand code, intended programming logic, and subtle deviations allowed it to find flaws that human experts and automated systems had missed for years. This unexpected proficiency in code security emerged as a powerful side effect of its development as a coding assistant.

How Mythos Identifies Flaws

The process involves placing the AI model in a secure, isolated environment with access to specific software code. Mythos then meticulously reads through millions of lines of code, identifying sections most likely to contain serious bugs. It subsequently writes and executes test programs to confirm or deny these potential issues, mirroring the work of professional security researchers.

The key difference lies in speed and scale. While a human analyst might take weeks to audit a section of code, Mythos can process an entire codebase in mere hours. It doesn’t just find bugs; it understands them. The AI reasons about the code’s intent, detects where the actual execution deviates from that intent, and predicts what conditions would cause a failure. This analytical depth is what sets it apart.

Impressive Performance Benchmarks

In the Cyberjimy benchmark, which tests AI models against over 1,500 real-world software bugs, Claude Mythos achieved a score of 83%. This represents a significant 16-point improvement over the previous model, Opus 4.6, which scored 66%. This jump signifies a move from occasionally finding bugs to consistently identifying vulnerabilities across major software platforms.

Mythos demonstrated its power by finding a 27-year-old bug in OpenBSD, an operating system renowned for its security. This vulnerability, a combination of a missing safety check and a number resetting incorrectly, could allow attackers to crash a machine remotely without any authentication. This discovery highlights the AI’s ability to find complex, multi-stage exploits that have evaded detection for decades.

Broader Impact on Software Security

Beyond OpenBSD, Mythos identified significant flaws in FreeBSD, which supports Firefox’s JavaScript engine. It uncovered over 180 bugs across various components, including cryptography libraries and virtual machine monitors, turning them into functional attacks. Previous AI models had only found two of these specific bugs.

On Linux, the operating system powering most of the world’s servers and Android phones, Mythos chained four separate vulnerabilities. Individually minor, these flaws collectively allowed an attacker to escalate from a standard user account to full control of the system. The AI’s capability is not merely theoretical; it’s a potent tool for exploit discovery.

Market Reaction and Industry Concerns

The revelation of Mythos’s capabilities sent shockwaves through the cybersecurity market. Cybersecurity stocks experienced a significant downturn, as investors questioned the future value of an industry potentially rendered obsolete by AI. The logic was simple: if AI can find vulnerabilities faster than humans, what is the role of a multi-trillion dollar cybersecurity industry?

However, this initial panic may have been premature. Industry experts suggest that AI’s ability to find bugs also presents an opportunity for defense. The bottleneck in cybersecurity has often been the slow pace of patching, not necessarily the discovery of vulnerabilities. AI could accelerate the patching process, shifting the industry’s focus from detection to proactive prevention.

The Six-Month Window

Alex Stamos, former Chief Security Officer at Facebook and Yahoo, estimates that within six months, smaller, open-source AI models will possess similar bug-finding capabilities to Mythos. This democratization of advanced exploit discovery raises concerns about increased cyber threats from malicious actors worldwide.

The critical issue for the cybersecurity industry has been the slow deployment of patches for known vulnerabilities. Studies show that a vast majority of breaches involve easily patchable flaws that organizations failed to address promptly. AI, by removing the speed limit for attackers, could drastically shorten the time between a vulnerability’s discovery and its exploitation, collapsing the defense timeline from months to hours.

Project Glasswing: A Defensive Coalition

In response to these threats, Anthropic initiated Project Glasswing, a defensive coalition. This initiative grants early access to Mythos’s capabilities to select publicly traded companies, including giants like Amazon, Google, Microsoft, and cybersecurity firms such as Crowdstrike and Palo Alto Networks.

This move aims to equip these companies with advanced AI tools to proactively identify and fix vulnerabilities before they can be exploited. The announcement of Project Glasswing led to a rebound in cybersecurity stocks, suggesting the market views this as a strategic move to enhance industry defenses rather than a sign of obsolescence.

Investment Opportunities in Cybersecurity

Companies within Project Glasswing are positioned to benefit significantly. Crowdstrike, a leader in endpoint security, reported strong revenue growth, with its Falcon platform poised to integrate Mythos for proactive vulnerability patching. Its latest quarterly revenue reached $1.31 billion, up 23% year-over-year.

Palo Alto Networks, another key player, focuses on consolidating security solutions onto a single platform. Its AI-powered Cortex platform will integrate with Mythos, enhancing threat detection. With annual revenue nearing $11 billion, Palo Alto Networks represents a potentially more attractively valued investment compared to Crowdstrike.

The Future of Cybersecurity Spending

The global cybersecurity market is projected to grow substantially, from $380 billion in 2026 to $1.2 trillion by 2034, a compound annual growth rate of 15.5%. This growth is expected to accelerate as attackers increasingly adopt AI for their operations.

The crucial question for investors is not whether cybersecurity spending will increase, but which companies will capture this growth. The firms involved in Project Glasswing, with privileged access to advanced AI capabilities, are well-positioned to lead this expanding market.

The Patching Paradox

A significant concern remains: less than 1% of the thousands of vulnerabilities discovered by Mythos have been patched. Anthropic plans to release a detailed report within 90 days, outlining the discovered flaws and their remediation status. The speed at which these vulnerabilities are addressed will be a critical indicator of the cybersecurity industry’s ability to adapt.

The challenge lies in the human element of patching. While finding bugs can be automated by AI, fixing them requires human intervention, testing, approvals, and scheduled maintenance, particularly in regulated sectors like banking and healthcare. This inherent delay could continue to favor attackers who can leverage AI for rapid exploitation.

Anthropic’s Strategic Position

Anthropic’s decision not to sell or open-source Mythos, but instead to form Project Glasswing, places it in a unique strategic position. As a private company valued at $380 billion, it holds immense influence over global cybersecurity by controlling access to critical vulnerability information.

The upcoming 90-day security report from Anthropic will be pivotal. If it reveals significant progress in patching, it could validate the defensive strategies of Project Glasswing participants. Conversely, if the report shows minimal remediation, it would suggest that attackers, empowered by rapidly improving open-source AI, may gain a decisive advantage.

Source: What Claude Just Did Is Insane (Investors Aren't Ready) (YouTube)