Date: 23 September 2010
Click here for printable version
With the commercialisation of business online, third party web advertisements systems provide a potential way to compromise many trusted web sites quickly. Businesses that host third party advertisements applications need to understand the risks this poses and ensure these systems do not present an opportunity to compromise their web site and, in the process, the customers and visitors to their own site.
A couple of weeks ago we mentioned that we had received a number of reports regarding malware being distributed via advertising networks, or advertising providers.  It appears that this particular vector for attack has been increasing over the last twelve months or so as a method of mass infection, affecting hundreds or more web sites simultaneously. One particular open source advertising product appears to be regularly targeted - OpenX. Serving up a staggering 350 billion advertisements a month, with over 80,000 publishers, OpenX is a particularly popular target, and is continuing to increase in popularity with each passing month. The authors of OpenX have sometimes been forthcoming with information when new security vulnerabilities have been identified, reacting reasonably quickly to the issues and releasing updates.
In January 2009, OpenX claimed to have fixed and released updates for a vulnerability within 48 hours of its disclosure, and stress that they "... take security matters very seriously at OpenX ...."  However, on 23 December 2009, Computerworld published an article regarding OpenX ad servers being compromised to insert iframes redirecting to a web site in China which contained Adobe exploit code.  OpenX's response was that they were aware of "... no major vulnerabilities associated with the current version of the software - 2.8.2 - in either its downloaded or hosted forms ...."  Ironically on 24 December 2009, OpenX published a very different statement on their blog, stating that there was indeed a remote vulnerability in version 2.8.2, and recommending all users upgrade to version 2.8.3.  Indeed the vulnerability was so severe that it allowed anyone to log in to OpenX as an Administrator.
Last week, AusCERT published a security bulletin regarding a new vulnerability in OpenX which lead to the release of version 2.8.7.  The vendor did not provide any information regarding the impact of the vulnerability itself on its blog, but urged users upgrade immediately to the new version.  To find more about this vulnerability, we had to head over to someone's personal blog who had been affected by the vulnerability himself.  Florian Sander, on his personal blog, made mention of a critical flaw in OpenX 2.8.6 and possibly earlier versions which allowed attackers to "... gain control of the webserver account and thus the adserver ..." and that the "... security hole is being actively exploited in the wild ...."  Apparently he had "... learned the hard way ..." about the active exploitation of this vulnerability.  He goes on to say that the vulnerability is a result of a file which allows attackers to "... upload any file to the server including executables ..." and by uploading a php backdoor, attackers could gain full access to a webserver running OpenX. 
After the release of version 2.8.7, and repeated exploitation of this most recent and other previous vulnerabilities, it seems OpenX is now taking the security of its product seriously and trying to educate its users by now also publishing a document on its blog entitled How to Secure your OpenX installation.  The vendor now encourages users to sign up for its Newsletter to be notified about future security updates, and anyone with information about vulnerabilities in OpenX to contact them via email.  Most of the reports we have received regarding the compromise of web sites running OpenX have been running older, outdated versions of OpenX, with known vulnerabilities and, in some cases, using versions which are many revisions older than the current version. Generally, you should always run the latest version of a software package, or else follow the recommendations of the vendor for mitigation instructions, when available, in the event of a vulnerability in a current version.
For more information about products/services on the web which can inform you if your site has been compromised and may contain malicious code, please take a look at some of the links contained here: https://www.auscert.org.au/11962
Information Security Analyst
 New Quicktime, iTunes, Chrome, Cisco BGP update and more...
 OpenX Blog
 Hackers hit OpenX ad server in Adobe attack
 OpenX Blog
 ASB-2010.0211 - [Win][UNIX/Linux] OpenX prior to 2.8.7: Reduced security - Unknown/unspecified
 OpenX Blog
 Critical vulnerability in OpenX 2.8.6 & Open Flash Chart 2
 Security Update: How to Secure your OpenX installation