OpenX releases mandatory fix to prevent ad server trojan attacks

OpenX releases mandatory fix to prevent ad server trojan attacks

Summary: OpenX fixes a security flaw that could have helped attackers serve up malicious ads since November last year.

SHARE:
TOPICS: Security, Servers
1

Read this

Security-as-a-service captures the eyes of the enterprise

Security-as-a-service captures the eyes of the enterprise

Businesses are increasingly looking to put their security defences in the cloud, according to IT analyst firm Gartner.

OpenX has released a new version of its ad server product to address a backdoor that may have been used to serve up malicious banner ads since November 2012.

The advertising tech company confirmed on Wednesday that its free open source ad serving product OpenX Source v2.8.10 had been compromised and allowed attackers to use vulnerable instances of the distribution to serve up malicious ads — a problem that has been noticed in recent months in Germany.

In a blogpost on Wednesday, OpenX senior application security engineer Nick Soraccor said that two files in the binary distribution of 2.8.10 had been replaced with modified files that contained a remote code execution vulnerability.

OpenX has now released OpenX Source v2.8.11, which according to Soraccor, is a "mandatory upgrade" for all users of 2.8.10 that should be applied immediately. The ZIP file is available on OpenX's forums in addition to instructions on how to identify the attack code. 

The vulnerability does not affect its other suite of products, including OpenX Market, OpenX Enterprise and OpenX Lift, according to Soraccor. 

While OpenX has confirmed the distribution was vulnerable, it did not make clear when the weakness was introduced. However, initial reports suggest the problem could have been present since November 2012 and the vulnerabilities in OpenX have been on the radar of German authorities for months.  

German tech site the Heise notified Germany's computer emergency response team (CERT) this week about the OpenX backdoor, reporting it allowed an attacker to inject and execute arbitrary PHP code in the server.

In an advisory yesterday, Germany's Federal Office for Information Security reported that it "assumes that the backdoor had been included in the installation packages for several months".

The office issued previous alerts in April and January this year, pointing to vulnerabilities in version Open X 2.8.10 as the source of widespread banner ad malware attacks delivered through popular German websites.

According to a blogpost by Paul Ducklin, consultant at security firm Sophos, the attack code is written in PHP but is hidden in a JavaScript file that is part of a video player plugin (vastServeVideoPlayer) in the OpenX distribution. 

Topics: Security, Servers

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Dear ZDNet moderator, please add this article to topic 'open-source'

    From the article:
    o "two files in the binary distribution of 2.8.10 had been replaced with modified files that contained a remote code execution vulnerability."
    o "a backdoor that may have been used to serve up malicious banner ads since November 2012"

    OpenX is open-source "software distributed under the the GPLv2 license":

    http://www.opensource.be/openx/

    What happened to many-eyes? Well, in this particular case, the source code was apparently left unchanged and the binary distribution was modified by the miscreants. Does this mean that one should compile their applications from source code, as Mr. Davidson believes?

    "IRC server had backdoor in source code for months - Update
    http://www.h-online.com/open/news/item/IRC-server-had-backdoor-in-source-code-for-months-Update-1020987.html

    The source code for UnrealIRCd made it into Gentoo's repositories.
    Rabid Howler Monkey