Apple Alerted to macOS Security Vulnerability Uncovered With AI Tool

[rp2011]

Said it before, but I could care less about Apple LLMS, and should care far more about Apple keeping its customers safe from AI. Good for Anthropic holding off on deploying its most advanced models before alerting companies like Apple. But Apple should be far more proactive on that side of things and not have to rely of the kindness of strangers to keep it's house in order.

 

[Unregistered 4U]

Come on, the new cluelessness is to capture random command line strings from Github and paste them into Terminal. It's incredibly amusing that bad actors don't even have to try to package up their attacks any longer.

Oh, right!
Security Researcher: “Hey here’s an exploit that’s really fancy can be done wirelessly with the right setup beforehand, MIGHT not work if the user doesn’t have their system set up in the right…”
Malicious Actor: “Yeah, I think we’ll just use the thing that actually works most of the time that doesn’t require” hand waving “all that.”

 

[svish]

Interesting to see AI helping out. Hopefully if the vulnerability exists Apple will fix it or would have fixed it by now.

 

[numberfive]

And imagine what sophisticated hacks can be created by AI based on reverse engineering patched vulnerabilities the day an update drops. We are barreling towards a day where if you do not update your systems on the day the update drops, you are already compromised.

vulnerabilities in legacy software are finite, at some point AI will be a routine part of CI/CD pipeline to prevent ai-discoverable vulnerabilities to even go live. so the attack vector described by you will not be that impactful.

also, it’s still super expensive and requires skills even today. so beyond nation states the business model is not obvious.

 

[urnotl33t]

Oh, right!
Security Researcher: “Hey here’s an exploit that’s really fancy can be done wirelessly with the right setup beforehand, MIGHT not work if the user doesn’t have their system set up in the right…”
Malicious Actor: “Yeah, I think we’ll just use the thing that actually works most of the time that doesn’t require” hand waving “all that.”

The words you’re looking for are “security theater”. Threat prevention vendors do the same thing… try to sell you on some swanky new product that has to be configured a specific way with specific components and only those components. Any other configuration or use case instantly voids their product.

E.g.: “we can protect your users browsing usage but only with this chrome browser extension and access rights to the user’s computer and with a proxy configuration to our FancyWidget hosted at AWS.” WTF? That’s not a product, dude; that’s a wish.