English
中文
Deutsch
HomeArticle

Overnight, will countless bugs appear on your phone and computer?

差评2026-04-09 09:00
I can't even imagine how much legacy code there could be.

Overnight, your phone, computer, router, and even your smart toilet may need to be patched frantically to fix vulnerabilities.

This is not just baseless talk. Anthropic has released its most powerful model to date, Claude Mythos Preview.

This brand - new version of the model can find 0 - day vulnerabilities (that is, fatal vulnerabilities that developers are completely unaware of and have no time to defend against), and can also write a complete set of attack codes for you.

Seeing that this ability is quite illegal, Anthropic itself got nervous. So, it locked the model away under the pretext of "too advanced to be publicly demonstrated" and only made it available to 12 well - known and legitimate tech giants such as Amazon, Apple, Microsoft, and Google.

Meanwhile, they also launched an additional initiative called Project Glasswing, calling on everyone to use Mythos for network security defense first.

Actually, we had heard some rumors about this new model before. At the end of last month, there was a data leak at Anthropic, with more than 3000 confidential documents being exposed. At that time, some people discovered that there was a code - named "Capybara" hidden above the original large - scale model Opus.

Presumably, they thought the name was too cute, so they officially changed it to Mythos (which gives a feeling of a myth, a golden legend) when releasing it.

Although we ordinary people can't access this model for now, just looking at the official data is enough to make one's hair stand on end.

In the past, new versions of large - scale models usually only improved the benchmark test scores by 3% or 5%.

But Mythos delivered a crushing blow this time:

USAMO (United States of America Mathematical Olympiad): The score soared directly from 42.3% in the previous generation to 97.6%;

Cybench (Network Security Benchmark Test): It achieved a perfect score of 100%. Anthropic even said somewhat boastfully that the existing Cybench benchmark test is too easy and has lost its testing significance for the new model.

In the CyberGym (Professional Vulnerability Reproduction Test), it scored 83.1%, while the previously strongest public model, Opus 4.6, only scored 66.6%.

In the Firefox JS shell (Vulnerability Exploitation Test), the most astonishing part is that its vulnerability exploitation ability has increased by nearly 80 times compared to Opus 4.6...

Facing such double - digit or even dozens of times of growth, it's no wonder that Anthropic claimed that Mythos can now compete with "the top human security experts".

Seeing this, I'm sure you guys are thinking the same as us: It's so powerful! But doesn't this scenario seem a bit familiar?

First, there is an "accidental" leak of information, then the official releases some amazing data, and finally, they say, "Oh, our model is too powerful. We're afraid it will destroy the world, so we can't let you use it."

The last one to do this was GPT - 5, and before that, it was probably Sora?

OpenAI has been using such mysterious tactics all the time, and its reputation has suffered. Why is Anthropic, which seems so reliable, also playing this game?

Moreover, Anthropic is planning an IPO this year.

So, netizens were in an uproar. Some criticized it as hyping up for the IPO; others were more straightforward, saying that those in the large - scale model industry don't care about the well - being of ordinary users at all.

The well - known developer Simon Willison even said sarcastically, "Our model is too dangerous to be released" is indeed the traffic - attracting formula in the AI circle.

However, despite the netizens' criticism, when you see its actual performance, you may also think that releasing this model now is like distributing AK - 47s in a kindergarten.

We can get a sense of it from two official cases.

The first one is that Mythos found an ancient vulnerability in OpenBSD dating back to 1998.

What does this mean? OpenBSD is known as one of the most security - focused operating systems in the world. Firewalls and key infrastructure rely on it for security.

As a result, a flaw that top human experts had overlooked for 27 years was easily spotted by the AI while it was "sipping tea".

Another powerful example is FFmpeg, which is used in the underlying systems of almost all video players and browsers.

Mythos found a vulnerability that had been hidden for 16 years in it. The code containing this vulnerability had been tested by humans more than 5 million times, but it passed all the tests.

Mythos said, "What is a top - notch AI? You can check its records!"

Moreover, don't underestimate the vulnerabilities found by the AI. Take FFmpeg for example. At first glance, this vulnerability seems insignificant and is rarely triggered. However, Wen An (a pseudonym), an information security professional we contacted, believes that this is a typical problem caused by non - conventional input, leading to unexpected results.

In real life, there are actually many similar cases. You can't ignore them just because the probability of triggering is low.

Furthermore, this small vulnerability may only cause the program to crash or report an error for now. But if combined with some techniques for reading and writing to arbitrary addresses (equivalent to hackers having a master key to your computer), it could become a high - risk vulnerability.

So, after reading these news, Wen An said, "If all this is true, it feels like half of the people in the (network) security field can jump into the river."

Subsequently, Wen An said that the "jumping into the river" was just a hyperbole. He also comforted us that these vulnerabilities are not yet at the level of "will my Alipay be looted or will my WeChat chat records be leaked".

But the core of the problem is that the official released these cases not to show off "how dangerous the vulnerabilities are", but to prove that the AI can discover new vulnerabilities purely based on its own knowledge reserve and cross - dimensional reasoning without any external tools.

So, in Wen An's view, Mythos at this stage is not a "more powerful hacking tool", but rather it has lowered the threshold for cyber attacks.

In the past, whether it was legitimate security personnel or those in the black - gray industry, they needed at least one professional person in charge. To carry out a proper cyber attack, they had to spend months in a small room.

But in the future, maybe a chubby kid in the village can just sit there, pick his feet, and shout a few words to the AI.

This low - threshold operation that anyone can do is bound to attract countless fun - seekers and outlaws to give it a try.

So, Wen An thinks it's quite reasonable for Anthropic to launch the Glasswing project.

After all, traditional security tools are like rigid security guards. They only check for prohibited items and can't prevent insiders from committing crimes. However, AI can understand the business logic and detect actions like someone using their own key to open someone else's door.

Allowing large companies to conduct self - reviews and trials in advance can help build network protection and screen for vulnerabilities earlier, preventing problems before they occur.

As for network security in the AI era, Wen An is quite optimistic.

Firstly, current AI is not yet sophisticated enough to handle extremely complex attack chains. You don't need to worry for now that someone will use AI to steal the remaining 9.25 yuan in your Alipay account.

On the other hand, since AI can find vulnerabilities, it can also fix them. With it, the efficiency of vulnerability scanning can be maximized, and it can also guide developers on how to fix the vulnerabilities.

So, Wen An believes that in the future of network offense and defense, it will probably be a combination of "human commanders + AI special forces".

Moreover, after carefully reading the latest technical documents, I also think that Anthropic doesn't seem to be just creating a gimmick. Not only is it excellent in network security capabilities as mentioned before, Mythos also shows quite amazing abilities in other aspects.

For example, in a test, when Mythos found that it didn't have access rights, instead of simply saying "I don't have the permission, I can't do it", it directly tried to read the underlying sandbox to obtain the access token from the memory.

In another test, the model exploited a file permission vulnerability and tampered with sensitive files.

After doing all this, Mythos also modified its own historical submission records to cover up what it had done.

Realizing that it had done something it shouldn't have, it chose to cover its tracks...

Once, during a test, Mythos accidentally flipped to the last page of a book and got the answer, which was actually prohibited by the test rules.

But when the researchers checked its thought process, they found that it not only didn't expose itself but also thought that its steps didn't match the result. So, it introduced a small error in the final answer to make it seem like it had solved the problem on its own rather than copying the answer.

To be honest, this operation is much smarter than my classmate who copied my math test paper back then. Otherwise, we wouldn't have been punished to clean the toilet.

该文观点仅代表作者本人,36氪平台仅提供信息存储空间服务。

For media inquiries, interview requests, business collaboration and Recruit global ecological partners, please contact mohaiying@36kr.com.
Partner:startuprad.io

36kr Europe (eu.36kr.com) delivers global business and markets news, data, analysis, and video to the world, dedicated to building value and providing business service for companies’ global expansion.

© 2024 36kr.com. All rights reserved.