AI is getting scary good at finding hidden software bugs – even in decades-old code

AI’s Dual Role: Bug Hunter and Hacker’s New Best Friend

In a surprising revelation, Microsoft Azure CTO Mark Russinovich recently used Anthropic’s Claude Opus 4.6 to analyze assembly code he wrote in 1986 for the Apple II 6502 processor. The AI didn’t just explain the code—it performed a “security audit,” uncovering subtle logic errors, including a classic bug where a routine failed to check the carry flag after an arithmetic operation. This bug had been dormant for decades, highlighting AI’s ability to find old, obscure vulnerabilities.

The Good News:
AI is proving to be a powerful tool for identifying bugs in legacy systems. Traditional static analysis tools like SpotBugs, CodeQL, and Snyk Code excel at catching well-known issues, but AI models like GPT-4.1, Mistral Large, and DeepSeek V3 can complement these tools by reasoning about system behavior and uncovering hidden vulnerabilities. For example, Anthropic’s Claude Opus 4.6 helped Mozilla find more high-severity bugs in Firefox in just two weeks than human reporters typically find in two months. This demonstrates AI’s potential to enhance security by identifying flaws that might otherwise go unnoticed.

The Bad News:
However, AI’s capabilities also pose significant risks. As veteran go-to-market engineer Matthew Trifiro pointed out, the attack surface has expanded to include every compiled binary ever shipped. When AI can reverse-engineer 40-year-old, obscure architectures so effectively, traditional security measures like obfuscation and security-through-obscurity become nearly worthless. Adedeji Olowe, founder of Lendsqr, added that billions of legacy microcontrollers globally may be running fragile or poorly audited firmware, making them prime targets for AI-driven exploitation. Bad actors could use AI to systematically find and exploit vulnerabilities in systems that are effectively unpatchable.

The Reality Check:
While AI is a valuable assistant, it’s not ready to replace human programmers or security professionals. Studies have shown that AI-driven bug-finding is not a drop-in replacement for mature static analysis pipelines. In fact, AI can introduce security flaws at higher rates, including unsafe password handling and insecure object references. For example, CodeRabbit found that AI created 1.7 times as many bugs as humans, with 1.3-1.7 times more critical and major issues. Additionally, open-source projects like cURL have been flooded with bogus, AI-generated security reports, overwhelming maintainers with unnecessary work.

The Takeaway:
AI is a powerful tool for finding and fixing bugs, but it’s not a silver bullet. It works best when used in conjunction with existing tools and human expertise. For legacy systems, the risks are even greater, as AI could expose vulnerabilities in devices that are no longer supported or patched. As AI continues to evolve, it’s crucial to balance its potential benefits with the need for robust security measures and human oversight.

Tags: AI, cybersecurity, bug hunting, legacy systems, vulnerabilities, static analysis, Anthropic, Claude Opus, Microsoft, Apple II, assembly code, security audit, firmware, microcontrollers, open-source, Firefox, Mozilla, CodeRabbit, cURL, obfuscation, security-through-obscurity, AI-driven exploitation, human oversight, robust security measures.

Viral Phrases: “AI just found a 40-year-old bug hiding in plain sight,” “The attack surface just expanded to include every compiled binary ever shipped,” “AI is both a blessing and a curse for open-source developers,” “Legacy systems are now prime targets for AI-driven exploitation,” “AI can find bugs, but it can also create them—use with caution.”

,