It appears that the ARDAgent Vulnerability that was recently identified for OS X has been exploited in the PokerGame Trojan.

See this article for a bit more information.

Not a surprise that the exploit can't actually do anything unless you download and execute the trojan, which results in the program executing SSH and transmitting username, password, and IP address to the server. It does prompt for admin authentication, and notes so far are unclear if declining to authenticate prevents the malware from executing - although that would be logical given the security model in OS X.

Smartphones 'bigger security risk' than laptops - Network World

This is a surprise? The real challenge, especially as smartphones become more feature-rich, is the way people use a phone.

They don't have much tolerance for locking the device, or adhering to security procedures. You want a phone that is easy to answer, easy to dial. The idea behind a PDA (with emphasis on the "Assistant" part regardless of the "Personal Digital" part) is also ease of use and convenience to access the data. I constantly find myself needing to easily find my calendar and/or contacts while on a call.

So then along comes the Security or Compliance Officer - whose interests are in direct oppositin to what I just wrote.

It's going to be a long road to compromise until a simple, intuitive way for the PDA (read: phone) to recognize that the person holding it should have access to that sensitive data. Biochipping is probably an answer, but I find it difficult to believe that people would allow for the insertion of an RFID tag into their hand to facilitate a secure smartphone experience.

FOr now the answer, in my opinion, is not enforcing phone locking or passcodes; instead it's working to educate the users as to what is appropriate and what is not appropriate to store on the phone.

Not an easy answer. But I think it's a practical one.

Which leads to the question: do you code-lock your smartphone, or can anyone pick it up and start using it?