OpenX releases mandatory fix to prevent ad server trojan attacks

OpenX fixes a security flaw that could have helped attackers serve up malicious ads since November last year.

Read this

Security-as-a-service captures the eyes of the enterprise

Businesses are increasingly looking to put their security defences in the cloud, according to IT analyst firm Gartner.

Read More

OpenX has released a new version of its ad server product to address a backdoor that may have been used to serve up malicious banner ads since November 2012.

The advertising tech company confirmed on Wednesday that its free open source ad serving product OpenX Source v2.8.10 had been compromised and allowed attackers to use vulnerable instances of the distribution to serve up malicious ads — a problem that has been noticed in recent months in Germany.

In a blogpost on Wednesday, OpenX senior application security engineer Nick Soraccor said that two files in the binary distribution of 2.8.10 had been replaced with modified files that contained a remote code execution vulnerability.

OpenX has now released OpenX Source v2.8.11, which according to Soraccor, is a "mandatory upgrade" for all users of 2.8.10 that should be applied immediately. The ZIP file is available on OpenX's forums in addition to instructions on how to identify the attack code. 

The vulnerability does not affect its other suite of products, including OpenX Market, OpenX Enterprise and OpenX Lift, according to Soraccor. 

While OpenX has confirmed the distribution was vulnerable, it did not make clear when the weakness was introduced. However, initial reports suggest the problem could have been present since November 2012 and the vulnerabilities in OpenX have been on the radar of German authorities for months.  

German tech site the Heise notified Germany's computer emergency response team (CERT) this week about the OpenX backdoor, reporting it allowed an attacker to inject and execute arbitrary PHP code in the server.

In an advisory yesterday, Germany's Federal Office for Information Security reported that it "assumes that the backdoor had been included in the installation packages for several months".

The office issued previous alerts in April and January this year, pointing to vulnerabilities in version Open X 2.8.10 as the source of widespread banner ad malware attacks delivered through popular German websites.

According to a blogpost by Paul Ducklin, consultant at security firm Sophos, the attack code is written in PHP but is hidden in a JavaScript file that is part of a video player plugin (vastServeVideoPlayer) in the OpenX distribution.