This might spawn THOUSANDS of vulnerabilities on Pale Moon (Or might not)

[sinfulosd]

With the preview of the new Claude model, called "Mythos", making waves in the scene, due to how it finds all sorts of exploits in any system. It managed to find so many 0-day vulnerabilities in all the major Operating Systems, like how it found a 27-year-old vulnerability in OpenBSD, how it managed to find a 16-year-old vulnerability in FFmpeg, even managed to find a lot of vulnerability exploits on all major web browsers.

It was told that the launch was delayed, due to the required meeting of all of these corporate companies and banks with the tool to discover the exploits, before it's going to be released to the public view.

Now, last time I checked, Pale Moon is not a corporate that might be benefitting from this meeting or from getting an early access to this model. Does that mean this browser will be a complete security vulnerability hazard, the moment this model is released to the world?

What do you guys think?

[ownedbywuigi]

Anthropic already confirmed Mythos isn’t going out to the public anytime soon, so we’re fine.

[Mæstro]

I forgot how pretty OpenBSD’s site is.

Oh, you mean about AI™ confirming Reddit’s general belief that Pale Moon, like Christianity and independent thought, is obsolete and worthy of disdain? Kindly avoid giving Anthropic’s marketing copy too much credit, especially in your title. Vulnerabilities will be discovered and patched like always. Our developers are perfectly capable of diagnosing and patching UXP defects without analogues in modern Mozilla. Soon enough, the bubble will pop and we can move on with our lives. This is just another way to delude investors into believing this technology has any merit.

[sinfulosd]

Kindly avoid giving Anthropic’s marketing copy too much credit, especially in your title. Vulnerabilities will be discovered and patched like always. Our developers are perfectly capable of diagnosing and patching UXP defects without analogues in modern Mozilla. Soon enough, the bubble will pop and we can move on with our lives. This is just another way to delude investors into believing this technology has any merit.

I dunno, if an AI company manages to convince the investors into believing in their product by hacking into OpenBSD, of all the other operating systems, If I were an investor, I'd be putting all of my net worth and even taking all the loans in the world from all the banks and put them into this company as well.

The issue is not even with Anthropic. It's the fact that the AI is progressing into the new field of cybersecurity, that we never even thought it would ever be possible. A lot of indie software and apps might become complete security vulnerability hazard, the more the AI progresses into this field.

[athenian200]

I mean... I'm not sure why this would be worse for Pale Moon specifically? Mozilla probably won't fare much better, they have a bigger attack surface with WebRTC and such.

If the models are that powerful, then most software will just be vulnerable... period. As quick as they patch their vulnerabilities, new models will come out that find new vulnerabilities and it won't get any easier for even a major company to keep on top of it. It's pretty much the thing people feared with quantum computing and encryption if it goes this way, but at a different layer. It's very bad for Internet security, of course including for Pale Moon, but I don't think we're disproportionately impacted here.

And, like... are you seriously suggesting everyone would suddenly have to just put their faith in the biggest tech companies because the environment got too complicated and they alone can handle it? That's what they've already been saying, hinting at, pushing towards for years, so it wouldn't be anything new. People already say that a hard fork of something as large as a web browser is dangerously insecure and not sufficiently maintained. This would just become another argument along those lines that no one here cares about...

[Moonchild]

You might want to keep it realistic and not have such a clickbaity topic title. Examination of code, for starters, won't spawn any vulnerabilities in code - at most you might find them.

Yes, LLMs might find plenty of potential vulnerabilities in large and complex code like ours. That is no different than any human who might when just analysing the code. The real question is which of those potential vulnerabilities are actually real and exploitable? The problem with finding any code vulnerability is that it's generally very difficult to exploit something. Some things are low hanging fruit but almost all of it would be not feasible in practice unless you already have some pretty outlandish prerequisites fulfilled (making any solution defence-in-depth at most).

I've seen an uptick in Mozilla sec bugs in recent months because there has been more ai-assisted reporting done; did I see an uptick in things applying to Pale Moon? Not at all. This is because almost all of it has been finding things that could potentially be wrong in e10s and its messaging protocol, not actual core code otherwise. A lot of those "vulnerabilities" have a prerequisite of a compromised content process to even be considered security sensitive, because it relies on the messaging between processes being purposefully manipulated by a bad actor through a compromised content process. So you're already looking at a compromised process, an actor being somehow (which isn't specified) able to use that to send specific messages to the parent process which then results in a vulnerability. None of that is likely or even possible in many cases, but theoretically it's a vulnerability. e10s is an Achilles' heel, of course, but even with that obvious entry point for examination and exploitation, there haven't been "thousands" of vulnerabilities found.

If there's a concern that AI assisted examination of our code gives rise to vulnerabilities in Pale Moon, despite me ensuring for the lifetime of the project that every reported security issue (both from Mozilla security and directly reported to me) was examined and any applicable security issue was patched, then by all means, send me those reports. Do make sure it's not hallucinated garbage though.

[back2themoon]

Am I correct in assuming that for any vulnerability, no matter how it was discovered, a potential attacker would still have to find a way to take over your machine, right? Before being able to exploit anything?

[Moonchild]

Am I correct in assuming that for any vulnerability, no matter how it was discovered, a potential attacker would still have to find a way to take over your machine, right? Before being able to exploit anything?

Not when it comes to a browser, because by design that is processing and displaying foreign content under control of an attacker. But there's a big difference between a potential vulnerability and a practical exploit that can be reached by crafting a site/document that triggers it when opened. But when it comes to a browser a prerequisite of having a compromised machine is not a thing. In fact it would be a way to compromise a machine, if nothing else.

[athenian200]

Am I correct in assuming that for any vulnerability, no matter how it was discovered, a potential attacker would still have to find a way to take over your machine, right? Before being able to exploit anything?

Well, it depends on a few factors. For one thing, the attacker might simply want to see what you have in other tabs, read your cookies, stored passwords, etc. And they could possibly do all that from within the browser itself without touching the operating system, if the browser is compromised. A lot of sensitive data is unfortunately stored in browsers.

Now, if the question is, can they use the compromised browser to get at your underlying operating system, and read or write to arbitrary files... that's a bit different. It can depend on things like how up-to-date your OS is, UAC settings, what level of trust you run the browser with, etc. In all honesty, there's actually an argument to be made for running just about any browser inside a virtual machine rather than on bare metal if you have the resources to spare. Let's put it like that. Even better would likely be not storing your passwords, history, cookies, or bookmarks, and never having more than one tab open at a time... but at some point the amount of inconvenience would outweigh the added security for most people.