Home AnthropicAnthropic Partners with Linux Foundation and Tech Giants to Secure Critical Software
AnthropicAIAnnouncementsAppleAWSClaudeCybersecurityGoogleLarge Language Models (LLMs)Linux FoundationLinux SecurityMicrosoftSecurity

Anthropic Partners with Linux Foundation and Tech Giants to Secure Critical Software

By sk
Written by sk 288 views 6 mins read

Quick Summary

  • Claude Mythos is Anthropic's new, most powerful unreleased model. Mythos can independently find and exploit zero-day vulnerabilities in major operating systems and browsers.
  • Project Glasswing is a collaborative defensive initiative between Anthropic, the Linux Foundation and several technology leaders, including AWS, Apple, Google, Microsoft, and NVIDIA.
  • Using Claude Mythos Preview, the members of Project Glasswing can identify and fix security vulnerabilities before software is ever released to the public.

Introduction

Recently, Anthropic announced a new model called Claude Mythos Preview. This model does more than just write emails or summarize notes. It shows a striking leap in how computers find and fix security flaws in software.

However, this power comes with risks. So, Anthropic decided to keep this model away from the general public for now. Instead, they launched a defensive plan called Project Glasswing to protect our digital world.

What is Claude Mythos Preview?

Mythos Preview is a special version of Claude that focuses on code and security. While older models were okay at finding simple bugs, Mythos is in a different league. It can "think" through complex problems like a human expert.

Specifically, it is great at exploit chaining. This means the AI finds three or four tiny flaws that look harmless on their own. Then, it strings them together to create a massive security hole.

It has already identified thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser.

Because this skill is dangerous, Anthropic is being very careful about who uses it.

Project Glasswing

Anthropic knows that bad actors could use the Mythos AI to cause harm. To prevent this, they formed Project Glasswing.

The Project Glasswing brings together the biggest names in tech, such as:

  1. Amazon Web Services
  2. Anthropic
  3. Apple
  4. Broadcom
  5. Cisco
  6. CrowdStrike
  7. Google
  8. JPMorganChase
  9. the Linux Foundation
  10. Microsoft
  11. NVIDIA
  12. and Palo Alto Networks.

More companies may join in future.

These partners get early access to Mythos Preview. They use the model to scan their foundational systems—the code that runs most of the world's servers, browsers, and devices—to find and fix security holes before they can be used for harm.

Anthropic is also giving $100 million in credits and $4 million in donations to help open-source teams secure their code. This initiative gives the "good guys" a head start before these AI skills become widely available.

Claude Mythos Solved Decades-Old Flaws

As mentioned earlier, Mythos Preview found thousands of flaws that humans had missed for years during testing. Here are three incredible examples:

1. The 27-Year-Old OpenBSD Flaw

OpenBSD is famous for its extreme security. Despite this, Mythos Preview found a bug in its code that had been hiding since 1998. This flaw allowed an attacker to remotely crash any OpenBSD server. The AI found this 27-year-old secret in just a few hours.

2. The 16-Year-Old FFmpeg Bug

FFmpeg is a tool that helps almost every app play videos. Experts test it constantly with automated tools. Interestingly, Mythos Preview found a 16-year-old math error in a line of code that other tools had checked five million times without seeing a problem.

3. The FreeBSD Root Access

The AI also looked at FreeBSD, a system that runs many of the world's servers. It found a 17-year-old flaw and autonomously wrote a plan to take "root access". This means the AI gained total control over the server without any help from a human.

A key advancement is the model's ability to chain together three to five subtle vulnerabilities that are harmless in isolation to create a sophisticated exploit. For example, it wrote a browser exploit that used a JIT heap spray to escape both renderer and OS sandboxes.

Mythos Discovered Unreleased Bugs in Linux kernel

Claude Mythos Preview discovered thousands of high-severity vulnerabilities in the Linux kernel, the vast majority of which remain unreleased and unpatched.

Because over 99% of these bugs are currently undergoing the coordinated disclosure process, Anthropic has withheld specific technical details to prevent exploitation before fixes are deployed.

However, the Anthropic sources provide high-level descriptions and cryptographic commitments for several of these unreleased findings:

Local Privilege Escalation (LPE) Exploits

Mythos Preview autonomously developed "nearly a dozen" functional exploits for the Linux kernel by chaining together multiple vulnerabilities.

While the model struggled to exploit remote out-of-bounds writes, it was highly successful at achieving local root access through sequences such as:

  • Chained Exploit Example: Using one vulnerability to bypass KASLR (Kernel Address Space Layout Randomization), a second to read a critical internal struct, a third to write to a previously-freed heap object, and a final heap spray to grant the user full root permissions.
  • Cryptographic Commitments: Anthropic has published SHA-3 hashes for several of these unreleased LPE reports and proofs-of-concept to prove they possess the findings without leaking the details prematurely.

Kernel Logic and KASLR Bypasses

Beyond memory corruption, the model identified logic vulnerabilities that bypass core security measures:

  • Intentional Pointer Leak: Mythos discovered a KASLR bypass where the kernel deliberately reveals a kernel pointer to userspace, which can be leveraged to locate kernel code and data in memory.
  • Race Conditions: The model found "subtle race conditions" that could be autonomously exploited to elevate permissions.

Out-of-Bounds Writes

Mythos also identified a number of Linux kernel vulnerabilities involving buffer overflows, use-after-free, and double-free conditions.

While the model was unable to turn these specific remotely-triggerable bugs into full exploits due to Linux’s "defense in depth" measures, the vulnerabilities themselves were confirmed as valid.

More technical details can be found at the Project Glasswing official announcement, Anthropic's Frontier Red Team blog, and Claude Mythos Preview system card.

Mythos Can Help Fix Issues Even Before the Software Release

You might wonder why a "server bug" matters to a normal user. The reality is that this software runs our banks, hospitals, and power grids. If a hacker finds these bugs first, they can steal data or shut down critical services.

Fortunately, Project Glasswing helps fix these holes now. Anthropic believes that AI will eventually make the internet much safer. In the long run, many companies will use AI to catch every mistake before they ever release a new app or update.

Conclusion

We are entering a new era of digital safety. Although the "window" between finding a bug and using it for an attack has shrunk from months to minutes, defensive AI is stepping up to fill the gap.

By working together through Project Glasswing, the Glasswing team is building a stronger, safer future for everyone.

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

The Companion: A Web UI for Claude Code...

GhostBSD 27.1 to Introduce Claude-Powered Casper Assistant for...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More