Update: there's more information on the Windows 7 exploit mentioned below in a Register article at http://reg.cx/1FcX.
Update 2: I keep seeing references to this as a virus or worm. However, the code I've seen does not contain any self-replicative functionality. It's not even a Trojan, as such.
Following an extract from one of my blogs yesterday about the iPhone hack tool cited by Greg Keizer in Computerworld, I was taken to task in a comment by someone who rightly pointed out that "Apple has no obligation to secure jailbroken iPhones".
I hope the anonymous poster (and indeed Computerworld) won't mind if I quote a little more.
"Apple has no legal or moral obligation to secure jailbroken iPhones. Those, who jailbreak their iPhones, do so in violation of their promise to not modify the iPhone OS. That alone relieves Apple of any legal or moral obligation to repair security flaws in jailbroken iPhones."
That does sound to me a little like the familiar Mac Fanboi position of "No Mac user would ever be stupid enough to do something insecure and if they do it's their own fault." Still, no-one said that Apple is under an obligation to secure jailbroken phones: well, I certainly didn't. In fact, I don't condone or advocate jailbreaking, as you'll have gathered from my earlier blogs, if you read them. I do think, though, that Apple should, consider whether there are ways of mitigating proactively vulnerabilities introduced by jailbreaking. Or even of introducing safer ways of allowing the installation of unapproved applications, though allowing any app install is going to be less safe than maintaining an iron grip and blocking any unauthorised install. (And that applies on any platform.)
If Apple can introduce any proactive mitigation, though, the community will benefit from being a little bit better protected from itself (isn't that mostly what security people do?), and Apple will benefit from being perceived as going the extra mile.
On the subject of things I didn't say, I notice that some of our competitors are saying that this is a non-issue because there's nothing new about it. Absolutely right: it's just another vulnerability, though the fact that it's introduced by the end user is mildly interesting. Given that there's a simple way of shortcircuiting it, though, I can't see why you wouldn't pass on that information. It's called good netizenship, guys…
Incidentally, my colleague Aryeh Goretsky drew my attention to another interesting Proof-of-Concept case of strangling by Python script, in this case an allegedly remotely exploitable kernel crash in Windows 7.0/Server 2008R2. Since I'm not sure I'm in the full-disclosure business, I'll do some checking before I give more details here.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET