When is a security flaw not a security flaw? There are a lot of happy iPhone people this week who have been able to "jailbreak" their iPhones thanks to a security flaw in Apple's iOS4 [through version 4.0.1]. While many iPhone users — myself included — are content to run our iPhones the way Steve Jobs intended, many users are known to chafe at the limits that Jobs [and AT&T] have built into the iPhone. Hence the demand for products that allow these disgruntled users to break their iPhone out of the jail to which they have been sentenced by Jobs and [AT&T].
The Apple flaw manifests in PDF readers, like those of Adobe and Foxit. And while no one knows of any security exploits targeting this vulnerability, as security experts, these kinds of holes are the scary stuff that keeps us up at night.
As Brian Krebs writes in KrebsOnSecurity.com: "I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike."
Perhaps we ought to view these jailbreakers the same way we view the proverbial canaries in the mine: as early-warning systems designed to alert the rest of us to vulnerabilities needing to be corrected. If the jailbreakers can find vulnerabilities before the cybercriminals have found and exploited them, then the community benefits from their efforts.