Microsoft Azure CTO set Claude on his 1986 Apple II code, says it found vulns

AI can reverse-engineer machine code and find vulnerabilities in ancient legacy architectures, says Microsoft Azure CTO Mark Russinovich, who used his own Apple II code from 40 years ago as an example.

Russinovich wrote: "We are entering an era of automated, AI-accelerated vulnerability discovery that will be leveraged by both defenders and attackers."

In May 1986, Russinovich wrote a utility called Enhancer for the Apple II personal computer. The utility, written in 6502 machine language, added the ability to use a variable or BASIC expression for the destination of a GOTO, GOSUB, or RESTORE command, whereas without modification Applesoft BASIC would only accept a line number.

Russinovich had Claude Opus 4.6, released early last month, look over the code. It decompiled the machine language and found several security issues, including a case of "silent incorrect behavior" where, if the destination line was not found, the program would set the pointer to the following line or past the end of the program, instead of reporting an error. The fix would be to check the carry flag, which is set if the line is not found, and branch to an error.

Claude finds vulnerabilities in 40 year old type-in code for the Apple II

The existence of the vulnerability in Apple II type-in code has only amusement value, but the ability of AI to decompile embedded code and find vulnerabilities is a concern. "Billions of legacy microcontrollers exist globally, many likely running fragile or poorly audited firmware like this," said one comment to Russinovich's post.

When Anthropic introduced Claude Opus 4.6, the company warned about the problem of AI quickly finding vulnerabilities that could be exploited by hackers.

"When we pointed Opus 4.6 at some of the most well-tested codebases (projects that have had fuzzers running against them for years, accumulating millions of hours of CPU time), Opus 4.6 found high-severity vulnerabilities, some that had gone undetected for decades," said the company's Red Team, responsible for raising public awareness of AI risks.

The Red Team suggested "this is a moment to move quickly... to secure as much code as possible while the window exists." That approach may work for current high-profile open source projects like Mozilla's Firefox, where AI apparently found 14 high-severity bugs, but is not realistic for much of the old code that continues to run, such as on embedded devices or in legacy applications.

Last month, Anthropic said: "We expect that a significant share of the world's code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues."

Although the title of Anthropic's post focuses on making these capabilities available to defenders, at a price, one suspects it is not really a net gain for cybersecurity.

Nor is it a win for most open source projects, since AI is also good at finding irrelevant or non-existent security problems, causing a burden for maintainers drowning in AI slop. ®