Firefox 150 was released with... **checks notes** 41 new CVEs.

clonedhuman@mastodon.social

@bagder Oh no.

viss@mastodon.social

@bagder at this point its safer to just not trust huge writeups from anthropic right off the hop. they offer no proof, no evidence, no logs, no cves, no examples - nothing. its the 'just trust us bro' model, in an effort to get people to buy more tokens

dascandy@infosec.exchange

@bagder If only they used more AI - 271 is child's play compared to what those AI could do.

jzb@hachyderm.io

@bagder @arstechnica I really, really want more detail on the vulnerabilities before taking that number seriously.

bagder@mastodon.social

@jzb @arstechnica and maybe reconsider the term "zero day" for every problem

aetios@sns.minovsky.space

@bagder Would you & your team even have time to fix such an inundation of issues? You seem overworked as is.

mae@is.badat.dev

@bagder @jzb @arstechnica it looks like they(mozilla) count all crashes fuzzers found as vulns, while bundling them under one CVE? There doesn't seem to be a differentiation between crashes found with mythos and ones found with traditional fuzzing techniques though

From this person who I think works on firefox?
https://mastodon.social/@hsivonen/116444494834332293

evilpie@hachyderm.io

@bagder See https://mastodon.social/@bagder/116442883139969359

bms48@mastodon.social

@bagder They need to stop obsessing over LLMs and focus more on the privacy-enhancing profile sandboxing.

wewet@techhub.social

@bagder funnily enough, the post i read right before this was https://infosec.exchange/@flyingpenguin/116399482954754093

spzb@infosec.exchange

@bagder given the recent history of Mozilla, I wouldn’t trust them not to have putsthe bugs in deliberately just so Anthropic could claim to have found them.

fabrice@fosstodon.org

@spzb You can check the fixes in their codebase. Come back once you find proofs of your claims.