Apple Alerted to macOS Security Vulnerability Uncovered With AI Tool

[MacRumors]

Anthropic recently announced Project Glasswing, an initiative that enables tech companies like Apple to use its new frontier AI model Claude Mythos Preview to find security vulnerabilities across operating systems and web browsers.

The Wall Street Journal today reported that researchers at cybersecurity firm Calif used Claude Mythos Preview to uncover a new macOS security vulnerability last month. Specifically, they used the model to write code that links together two macOS bugs in a way that resulted in what is known as a privilege escalation exploit.

The security researchers said the exploit would not have been possible with Mythos alone, as it still required their human expertise on top, but it nevertheless proves that AI can assist with discovering software vulnerabilities.

Apple said it was reviewing Calif's report to validate the findings.

"Security is our top priority, and we take reports of potential vulnerabilities very seriously," an Apple spokesperson told The Wall Street Journal.

It is unclear if Apple has already patched the exploit. Apple's security notes for the macOS 26.5 update released this week mention a fix for a kernel-level vulnerability, and it credits Calif and Anthropic for discovering it. Yet, the report said that Calif only met with Apple this week and suggested that a fix was still coming.

We have reached out to Apple for comment.

Article Link: Apple Alerted to macOS Security Vulnerability Uncovered With AI Tool

 

[Shalev Lazarof]

Great to hear.

 

[I7guy]

Just finished the WSJ article. Bugmaggeden.

 

[Astuces iOS]

Look useful ai ok I take it... but can we remove image playground?

 

[now i see it]

If researchers can use ai tools to identify vulnerabilities- so can nation state hackers, and likely small time hackers too.
The arms race towards computing Armageddon has just begun.

 

[masterin]

Bug bounty programs will get complicated… if AI found the vulnerability who gets the reward? 🤑 The user? The model owner? George RR Martin? 🤔

 

[thebitguru]

Bug bounty programs will get complicated… if AI found the vulnerability who gets the reward? 🤑 The user? The model owner? George RR Martin? 🤔

I would say the user should. They are already paying for the model, and the model vendor is charging whatever was reasonable for them.

 

[parameter]

I'm going back to pencil and paper.

 

[AppleWes]

If researchers can use ai tools to identify vulnerabilities- so can nation state hackers, and likely small time hackers too.
The arms race towards computing Armageddon has just begun.

I'm sure it's been tested but also if one AI is placed "head to head" against another, or maybe I've just seen too many SiFi moves. 🤪🤖

 

[H2SO4]

If researchers can use ai tools to identify vulnerabilities- so can nation state hackers, and likely small time hackers too.
The arms race towards computing Armageddon has just begun.

I suspect they'll be able to use AI tools also to create vulnerabilities.

 

[btrach144]

Companies will need to increase their agility on resolving these findings. It’s going to create a backlog that’ll last for years if they move at their current pace.

 

[gaggle]

If researchers can use ai tools to identify vulnerabilities- so can nation state hackers, and likely small time hackers too.
The arms race towards computing Armageddon has just begun.

You're not wrong in your intuition that this levels the playing-field on finding exploits, but the end result should be the opposite: The more stress testing, the safer the code. And there languages and techniques that fundamentally evaporate entire classes of bugs, and if enough bugs are found in existing solutions it can prompt maintainers to perform such upgrades. It has a hint of evolution to it: The strong and adaptable solutions will survive. It doesn't have to a pretty journey, I'm not claiming it'll be rainbows and unicorns, but directionally not an armageddon.

 

[turbineseaplane]

The security researchers said the exploit would not have been possible with Mythos alone, as it still required their human expertise on top, but it nevertheless proves that AI can assist with discovering software vulnerabilities.

Good to know we are still needed ... for today at least.

 

[k1121j]

I love how this went from Ai discovers bugs to Ai can assist in finding bugs.

It’s the theme of the entire Ai industry right now. Over promised and under delivered

 

[turbineseaplane]

I love how this went from Ai discovers bugs to Ai can assist in finding bugs.

It’s the theme of the entire Ai industry right now. Over promised and under delivered

Lest we forget about “AI creating bugs”, which I guarantee you is happening.

 

[963852741]

Look useful ai ok I take it... but can we remove image playground?

Agreed. All that **** needs to be opt-in and completely removable not to waste cpu cycles.

 

[HouseLannister]

If researchers can use ai tools to identify vulnerabilities- so can nation state hackers, and likely small time hackers too.
The arms race towards computing Armageddon has just begun.

And imagine what sophisticated hacks can be created by AI based on reverse engineering patched vulnerabilities the day an update drops. We are barreling towards a day where if you do not update your systems on the day the update drops, you are already compromised.

 

[EU-Regulations]

I use Apple since 2010. It was gold then. Now ?

Well, if  won’t listen to objective-see.org - that’s what happens.

Want to get rid of the iCloud because of Google Gemini ??? Yeah, well apple won't let you go that easy - now you are wasting time on a broader scale.. and  just showed you that you are not the captain of your data. why? because its already sold, buddy.

this data driven hazardous out of thin air economy is fatal. and it sneaked into apples backdoor (no pun intended)

Once John has kicked out the data kraken -  might sell Privacy again to us. For now its a scam, lots of sugarcoating though... Why does Apple need Google or Open AI ? Why ? Apple is the biggest player and not capable of developing AI ? We know why.

Everybody who bought an apple device expected to be premium private. One Q: what does Google get from apple for this ? A: User data. What else do they want ? Yikes to the square!

I think it's a shame to ruin the reputation of that big beautiful beast. it needs shameless people to act like that. probably drunks.

List of things that worked way better once: Auto correction, Spotlight, Safari, iCloud, 1st Level Support, etc.

Unfinished Products: iCloud, Lockdown Mode, Maps, etc.

Products missing: at least Aperture!

The Mac community is alive (users and support) and we won’t let go !

never underestimate your customer 😉 we call it GooPPLE.

 

[Unregistered 4U]

“The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell.“

So, same thing still applies. Don’t download random files from the internet and open them. I mean, novel that they’re proud to say AI was involved (they wouldn’t have been able to do it without AI), but, like all security researchers, they’re just in it for their 5 minutes of fame. That it’s unable to cause anyone any distress without a attacker having physical access to the machine (OR access to an unwise person with physical access to the machine) is just kinda where we are with computing today. Nothing for them to really raise an alarm about.

 

[aylk]

"The security researchers said the exploit would not have been possible with Mythos alone, as it still required their human expertise on top, but it nevertheless proves that AI can assist with discovering software vulnerabilities."

For what is worth Google Search can also assist with discovering software vulnerabilities. These AI people are grasping at straws...

 

[Nermal]

Lest we forget about “AI creating bugs”, which I guarantee you is happening.

It is. I tried one today. I asked it to rewrite some code to run faster (I was more specific than that) and it gave me a replacement that failed if one of the inputs was empty. When I pointed this out, it gave me a "corrected" version: my original code.

 

[edvj]

https://blog.calif.io/p/first-public-kernel-memory-corruption

 

[posguy99]

So, same thing still applies. Don’t download random files from the internet and open them.

Come on, the new cluelessness is to capture random command line strings from Github and paste them into Terminal. It's incredibly amusing that bad actors don't even have to try to package up their attacks any longer.

 

[turbineseaplane]

It is. I tried one today. I asked it to rewrite some code to run faster (I was more specific than that) and it gave me a replacement that failed if one of the inputs was empty. When I pointed this out, it gave me a "corrected" version: my original code.

Ugh ...

A supercharged new game of whack-a-mole.

 

[JitteryJimmy]

This could have been discovered by humans just as well. The only difference is that humans are being assisted by AI. And that is the whole idea behind AI.