AI Turns Patches into Exploits in 30 Minutes
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
AI Disrupts Security: Patches Become Exploits in 30 Minutes
Himanshu Anand, a recognized expert in cybersecurity, highlights a radical transformation in the vulnerability disclosure process. According to him, AI-based language models have disrupted the traditional 90-day disclosure framework, allowing multiple researchers to simultaneously discover the same security flaws.
AI tools now provide attackers with the ability to turn security patches into functional exploits in record time, often in just a few minutes. This technological advancement significantly reduces the time that vendors and administrators previously had to secure their systems.
Anand emphasizes the urgency for vendors to treat critical bugs as absolute priorities, for researchers to shorten disclosure timelines, and for administrators to deploy patches without delay to keep pace with the rapid threats posed by AI.
An Obsolete Disclosure Process
When a critical vulnerability is discovered, the standard procedure is to report it to the relevant vendor, who then has 90 days to publish a patch before the information is made public. This model, widely adopted thanks to Google's Project Zero, relies on four key assumptions that Himanshu Anand now considers outdated.
First, it was assumed that the person discovering the bug was likely the only one to have identified it. Second, even if other researchers found the same flaw, they would each take their time to report it. Third, the vendor had a comfortable lead time to develop a patch. Finally, after a patch was published, it was assumed that attackers would take several days or even weeks to create a functional exploit.
With over ten years of experience in cybersecurity and currently a security analyst at Cloudflare, Anand has been a finalist three times in the prestigious DEF CON hacking competition. In a blog post, he illustrates how AI language models challenge these assumptions with three concrete examples.
Concrete Examples
Eleven Journalists, One Bug, Six Weeks, and 30 Minutes from Patch to Exploit
In April, Anand discovered a critical flaw in an e-commerce site that allowed anyone to complete purchases for zero dollars. To his surprise, the vendor revealed that he was the eleventh person to report this flaw within six weeks. A triage staff member explained that as soon as a flaw is discovered using an AI tool, a wave of similar reports quickly follows. Anand questions: if ten honest researchers find the same flaw, how many others discover it without saying anything? This challenges the assumptions that discovery is exclusive and that parallel discoverers require additional time.
An AI-Discovered Linux Flaw Breaks the Embargo in Just Hours
A striking example concerns the Linux kernel. At the end of April, the Xint Code team published a vulnerability dubbed "Copy Fail," discovered through a one-hour AI scan. A 732-byte script allowed attackers to gain root access on nearly all Linux distributions since 2017. Within days, Iranian malicious actors were exploiting this flaw to hijack servers and launch DDoS attacks.
A week later, researcher Hyunwoo Kim revealed a vulnerability named "Dirty Frag." Kim had negotiated a five-day embargo with Linux distributions to prepare patches. However, this embargo was broken within hours by third parties who independently discovered and published the same class of vulnerability. When the details were made public, no distribution had a patch ready. The Microsoft Defender team confirmed active exploitation within 24 hours.
Recommendations for Stakeholders
Anand offers specific recommendations for three main groups:
-
Vendors should treat critical bugs as P0 emergencies, fixing them immediately without waiting for the usual development cycles. The countdown begins as soon as a report is received, not during triage meetings.
-
Researchers should advocate for shorter disclosure timelines, as statistically, they are no longer the only ones aware of a given flaw.
-
Administrators must deploy patches immediately, without waiting for the next monthly maintenance window.
Furthermore, development teams should proactively integrate language models into their processes, using them to automatically analyze patch differences, continuously scan their own dependencies, and verify the effectiveness of deployed patches. Anand emphasizes that attackers have already adopted these practices, and "right now, attackers are winning this race."
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.