CHAMPAIGN, Ill.—University researchers have found that if a person feeds a GPT-4 artificial intelligence agent public security advisories, it can exploit unpatched "real-world" vulnerabilities without precise technical information, according to a new report.
According to Bank Info Security, researchers at the University of Illinois Urbana-Champaign fed to AI agents descriptions of more than a dozen disclosed but unpatched - or "one-day" - vulnerabilities, including two bugs rated as "critical" on the CVSS scale.
“The agent they created with OpenAI's GPT-4 exploited 87% of the vulnerabilities. Fourteen other agents made with models including GPT-3.5, several open-source large language models and open-source vulnerability scanners ZAP and Metasploit, failed entirely,” Bank Info Security said.
‘Incredibly Good’
Daniel Kang, one of the four scientists who published the paper, said GPT-4 was "incredibly good" at following instructions and planning around possibly vague descriptions such as CVE descriptions, according to Bank Info Security.
"The other LLMs we tested struggled with this: this was my biggest surprise, given how other LLMs are great at other tasks," he told the publication.
Bank Info Security reported Kang said the tested models did not include top GPT-4 competitors Claude 3 and Gemini 1.5 Pro, because the team did not have access to them at the time of the experiments.
Kang and his colleagues created the GPT-4 AI agent with just 91 lines of code.
"If you extrapolate to what future models can do, it seems likely they will be much more capable than what script kiddies can get access to today," the paper says.
A Caveat
But Bank Info Security explained GPT-4's success has a key caveat: It needs a CVE description of the flaw to carry out the task. Without that, the AI agent could only exploit 7% of the vulnerabilities.
AI agents are large language models that are combined with automation software.
Daily News Headlines. To Your Inbox. Every Day. And It’s Free
The biggest, best and freshest news reporting in credit unions remains free, and now has an added bonus---free shipping to your email address! That’s right. Each morning CUToday.info delivers its daily Fresh Today news update offering the latest headlines and breaking news right to your email, with the easy-to-read headlines format allowing you to click on the stories that interest you most in order to learn more. So stop paying those bank-fee-like subscription prices from other so-called “news” publications!
If you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time—and it’s free!
Please note that after signing up you may need to go to your Spam/Junk folder and mark the morning headlines email as safe. CUToday.info does not provide its list of readers and emails to outside parties, and we will not be contacting you to sell you an extended warranty or sending you any links so you may cash in on an inheritance.
And did we mention it’s free?