OpenX used to serve malicious advertisements
Security researcher Brian Krebs has reported on an as yet unpatched vulnerability in the open source advertising platform OpenX, which is being used to plant malware on web sites that use the software to serve ads to their visitors. OpenX has since acknowledged the security hole and has published a workaround on its blog. According to Krebs, OpenX CTO Michael Todd has promised a fix for the affected versions of OpenX "early next week".
Krebs was unable to ascertain whether this security vulnerability is connected in any way to a similar CSRF flaw that was discovered in an older version of OpenX in June 2011. This is not the first time OpenX installations have been targeted by criminals seeking to distribute malware through advertising banners; similar attacks happened in September 2010 and January 2009.
The OpenX blog posting is advising users to remove the vulnerable files from their installations and gives instructions how to do so. Users should also check if the "openx-manager" user exists on their system and remove it if it does. OpenX is available both as a GPv2L-licensed version and as a hosted solution under a proprietary licence. Both versions are affected by the security vulnerability.