Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos.
-
So, nobody is even going to take a look?
No, not the folks waiting for the burn!
Zero days don't matter
AI is a fad
If we ignore the new attack surface and vector it will go away. -
Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
@dangoodin I... 12 is not a bad number but like...
Note that a number of these bugs are sandbox escapes, which would need to be combined with other exploits to achieve a full-chain Firefox compromise
if they had paid the 20k to a professional code auditor they would have found more... dangerous and relevant exploits
Anyone building software can start using a harness with a modern model to find bugs and harden their code today. We recommend getting started now. You will find bugs, and you will set yourself up to take advantage of new models as soon as they become available.
this sound straight up off of a entry-level "advertising 101" book...
also I looked at some of the bug repports and... meh
-
@dangoodin considering the mythos papers that anthropic wrote which said they found hundreds, mozilla confirming less than 10% of those seems to me like a desperate grasping at straws by anthropic to somehow prove they werent lying through their teeth with their writeup
That's... not what the linked article says at all. They're making a few public early, but they did indeed find hundreds.
-
That's... not what the linked article says at all. They're making a few public early, but they did indeed find hundreds.
-
Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
@dangoodin second that. Sharing for visibility
-
Yes. And I also read the Mozilla post linked above.
-
Yes. And I also read the Mozilla post linked above.
@mattdm @dangoodin and youre ok with anthropics approach here where they disable protections so their new flagship model can pump the numbers? and youre ok with how older models can find the same bug? and theres no gell-mann amnesia going on here?
-
@mattdm @dangoodin and youre ok with anthropics approach here where they disable protections so their new flagship model can pump the numbers? and youre ok with how older models can find the same bug? and theres no gell-mann amnesia going on here?
I'm not saying any of those things, and neither does the Mozilla post.
-
I'm not saying any of those things, and neither does the Mozilla post.
@mattdm @dangoodin but its all written about the same effort. anthroipics writeup and now this one, as well as the flying penguin post. theyre all about the same thing, and they are very very starkly different
-
Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
@dangoodin I looked at the first one and although I don't know the codebase at all so am missing context, I think I understand it partly (I am a good c++ programmer ) and it certainly looks real to me. There is also discussion on the bugzilla where a developer acknowledges they introduced the bug when doing code cleanup.
-
@dangoodin I... 12 is not a bad number but like...
Note that a number of these bugs are sandbox escapes, which would need to be combined with other exploits to achieve a full-chain Firefox compromise
if they had paid the 20k to a professional code auditor they would have found more... dangerous and relevant exploits
Anyone building software can start using a harness with a modern model to find bugs and harden their code today. We recommend getting started now. You will find bugs, and you will set yourself up to take advantage of new models as soon as they become available.
this sound straight up off of a entry-level "advertising 101" book...
also I looked at some of the bug repports and... meh
@dangoodin if anyone wanna know what I feel about the reports I read
:ms_purple_potion: Passoca Witch :v_enby: :ms_purple_potion: (@passocacornio@tech.lgbt)
Content warning: mozila, antropic
LGBTQIA+ and Tech (tech.lgbt)
-
Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.
Behind the Scenes Hardening Firefox with Claude Mythos Preview – Mozilla Hacks - the Web developer blog
New details about what we found, and how agentic harnesses are now able to reproduce real bugs and dismiss false positives.
Mozilla Hacks – the Web developer blog (hacks.mozilla.org)
@dangoodin half of a continuation of a report, and half a tech blog discussing the internal security harnessing. Strange to read how it switched between the two and answering interesting questions in the FAQ.
I find confusing the fact that I couldn't find a list for all the invidually tracked bugs (?). Even though they are "rolled up"/grouped under a single CVE, they are tracked individually and that would be a more interesting thing to look at.
And I'm really surprised about the no. of fixed bugs graph, especially for April. How could they handle that jump in volume? More people working on Firefox? More focus on security than other work? "Looks good to me" merges? -
R relay@relay.publicsquare.global shared this topic
-
@dangoodin I... 12 is not a bad number but like...
Note that a number of these bugs are sandbox escapes, which would need to be combined with other exploits to achieve a full-chain Firefox compromise
if they had paid the 20k to a professional code auditor they would have found more... dangerous and relevant exploits
Anyone building software can start using a harness with a modern model to find bugs and harden their code today. We recommend getting started now. You will find bugs, and you will set yourself up to take advantage of new models as soon as they become available.
this sound straight up off of a entry-level "advertising 101" book...
also I looked at some of the bug repports and... meh
@passocacornio @dangoodin
Its hard to judge without all of them. 12 is what was released. -
@passocacornio @dangoodin
Its hard to judge without all of them. 12 is what was released.@michaelh @dangoodin since this one is more of an advertising piece than an actual post-morten... those are the best ones they could find
-
@passocacornio @dangoodin
Its hard to judge without all of them. 12 is what was released.Yes, that's true. What I want to know is, what's the quality of the 12?
-
@michaelh @dangoodin since this one is more of an advertising piece than an actual post-morten... those are the best ones they could find
OK, assuming that's true, what's the quality of them?
-
OK, assuming that's true, what's the quality of them?
@dangoodin @michaelh i... posted my actual impression of the reports on a companion toot its linked in this toot
-
@passocacornio @dangoodin
Its hard to judge without all of them. 12 is what was released.@passocacornio @dangoodin If some large precentage of those 271 reports is sandbox escapes and they all got patched there is a decent chance of breaking an in the wild exploit campaign.
