OpenX advertising software flaw leaves websites vulnerable

A flaw in the OpenX advertising software is being exploited by hackers and allowing them to place malicious code on advertisements on several popular websites over the past week.


A flaw in the OpenX advertising software is being exploited by hackers and allowing them to place malicious code on advertisements on several popular websites over the past week.

The attackers are taking advantage of a pair of bugs in the OpenX advertising software to login to advertising servers and then place malicious code on ads being served on the sites.

Cartoon syndicator King Features said that it had been hacked last week, because of the OpenX bugs. The company's Comics Kingdom product, which delivers comics and ads to about 50 websites, was affected.

After being notified of the problem Thursday morning, King Features determined that "through a security exploit in the ad server application, hackers had injected a malicious code into our ad database", the company said on its website.

King Features said that the malicious code used a new, unpatched Adobe attack to install malicious software on victims' computers, but that could not immediately be verified.

Another OpenX user, the Ain't It Cool News website was reportedly hit with a similar attack last week.

Web based attacks are a favourite way for cyber-criminals to install their malicious software and this latest round of hacks shows how ad server networks can become useful conduits for attack.

In September, scammers placed malicious software on The New York Times' website by posing as legitimate ad buyers.

This same technique that worked on King Features and Ain't It Cool News was used to hack into at least two other websites last week, according to one OpenX administrator who spoke on condition of anonymity.

Attackers used one attack to get login rights to his server, and then uploaded a maliciously encoded image that contained a PHP script hidden inside it, he said.

By viewing the image, attackers forced the script to execute on the server. It then attached a snippet of HTML code to every ad on the server. K

nown as an iFrame, this invisible HTML object then redirected visitors to a website in China that downloaded the Adobe attack code.

OpenX said that it was aware of "no major vulnerabilities associated with the current version of the software - 2.8.2 - in either its downloaded or hosted forms".

At least one OpenX user believes that the current version of the product may be vulnerable to part of this attack, however.

In a forum post, a user said that he was hacked while running an older version of the software, but that the current (2.8.2) version is also vulnerable.

"If you are running a current, unmodified release of OpenX, it is possible to anonymously log in to the admin site and gain administrator-level control of the system," he said.

More details on the OpenX hack can be found here.

When researchers at Praetorian Security Group looked at the Adobe attack, it did not leverage the unpatched Adobe bug, said Daniel Kennedy, a partner with the security consultancy.

Instead, the attack marshalled an assortment of three different Adobe exploits, he said. "We're seeing no evidence that it's the 0day that will be patched by Adobe in January."

Security experts say that the Adobe flaw has not been widely used in online attacks, even though it has been publicly disclosed. Symantec said it had received less than 100 reports of the attack.

That may be because many people are still running older versions of Reader that are vulnerable to other attacks. Adobe has been a favorite target of readers since a similar bug emerged last February.

Adobe patched the issue in March, but users can avoid this attack and the current Adobe issue by simply disabling JavaScript within their Reader software.

"Everybody should have just changed the behavior on their Adobe reader," said Gary Warner, director of research in computer forensics at the University of Alabama.

"Recommended For You"

Adobe Reader zero-day vulnerability exploited by hackers Adobe Reader and Acrobat attack in the wild