By rssfeeds-admin 
Remarkably, this AI-driven security research accounted for nearly a fifth of all high-severity Firefox vulnerabilities remediated in the previous year.
Mozilla has already deployed fixes for the majority of these flaws to hundreds of millions of users in the Firefox 148.0 release, showcasing the speed and effectiveness of AI-assisted patching.
Working in close collaboration with Mozilla researchers, the Anthropic team reported these flaws, leading to 14 being officially classified as high-severity.
Vulnerability Discovery and Exploitation
Before targeting live software, Anthropic evaluated the previous Opus 4.5 model using the CyberGym benchmark to test its ability to reproduce known vulnerabilities.
Seeking a more rigorous test, researchers shifted Opus 4.6 to the current Firefox codebase, starting primarily with the browser’s JavaScript engine and C++ files.
Because this engine processes untrusted external code, it represents a highly critical attack surface.
Within twenty minutes of isolated analysis, Claude identified a Use-After-Free flaw, a severe memory corruption vulnerability that allows attackers to overwrite data with malicious payloads.
After validating this initial bug in an independent virtual machine, the Anthropic team expanded the AI’s scope, eventually submitting 112 unique crash reports to Mozilla’s Bugzilla tracker.
To measure the upper limits of the model’s offensive capabilities, Anthropic researchers challenged Claude to develop primitive exploits for the discovered bugs.
The goal was to execute a real attack, specifically reading and writing a local file on a target system. Utilizing approximately $4,000 in API credits across hundreds of test runs, Opus 4.6 successfully generated functional exploits in only two cases.
These attacks were crude and only functioned in a constrained testing environment where core security features, notably the Firefox sandbox, were intentionally disabled.
While Firefox’s defense-in-depth architecture successfully mitigated these specific attacks in real-world scenarios, the experiment proves that AI models are inching ever closer to automated, end-to-end exploit generation.
Mitigation and Task Verifiers
To help software maintainers manage an influx of AI-generated vulnerability reports, Anthropic strongly advocates for the implementation of “task verifiers.”
These verification tools provide real-time, automated feedback to AI patching agents as they navigate a codebase.
A highly effective patching agent must verify two critical elements: that the vulnerability is entirely neutralized, and that the application’s intended functionality remains completely intact.
By running automated regression tests alongside vulnerability triggers, task verifiers allow the AI to iteratively refine its candidate patches until they meet minimum security and stability requirements before human review.
The rapid influx of AI-discovered bugs places a heavy triage burden on maintainers. During the collaboration, the Mozilla security team noted that trusting AI-generated submissions requires strict documentation and coordination.
Specifically, they require accompanying minimal test cases, detailed proofs-of-concept (PoCs), and viable candidate patches from researchers.
Anthropic has integrated these procedural norms into its Coordinated Vulnerability Disclosure (CVD) principles.
Furthermore, with the launch of Claude Code Security in limited preview, Anthropic is pushing these rapid find-and-fix capabilities directly to defenders, aiming to secure infrastructure before malicious actors can fully master AI-driven exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Claude AI Discovers 22 Major Vulnerabilities in Firefox Browser in 14 Days appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.