OpenX Plans Fix for Security Flaw


Krebs on Security's Brian Krebs reports that hackers are actively exploiting an unpatched vulnerability in the OpenX ad server solution in order to run ads that serve malware and browser exploits.

"Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts," Krebs writes. "That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software. OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts."

"The first compromised systems were discovered by Infosec researcher Mark Baldwin, who found that attackers were exploiting a cross-site request forgery (CSRF) vulnerability to create a malicious 'openx-manager' account on affected systems and then started serving ads with malicious payloads via the OpenX platform," The H Security reports. "This account gets created by JavaScript executed when a legitimate administrator logs into the advertising platform and is served an ad in the administration interface that comes from OpenX's own advertising servers."

Krebs says OpenX CTO Michael Todd hopes to roll out an official fix as soon as possible -- in the interim, Todd has posted a list of steps for users to take to protect their systems. "What we’re going to do early next week -- on Monday or Tuesday -- is release a new version of OpenX for people to download as soon as possible," Todd said. "We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out."