An Open source advertisement platform, OpenX, is susceptible to code injection and serves rogue AV. Security researchers at Amorize blogged about 2 separate ongoing attacks serving Security Sphere 2012 malware.

OpenX on itself is quite common and useful platform. It lets small businesses display and rotate advertisements on their blog without paying to 3rd party advertisement networks. However this example shows that it is a vulnerable platform, and should not be used blindly. Like with any other free package, one should update OpenX when security update is released. Without updates, known vulnerabilities accumulate and allow hackers miss-use your web space and display malicious, unwanted advertisements.

OpenX has another vulnerability too: Its advertising “market”. It allows showing 3rd party ads from its network when advertisement space is cheap enough or unfilled. This effectively opens ones site for potentially unwanted ads that haven’t been reviewed by site owner. I am not sure how decent advertisement review process is in OpenX network, but last breaches makes me believe that ads are not reviewed properly.

How to solve this problem? First, I suggest moving to different platforms. One obvious choice would be Google’s DFP. It has its own limitations (like ads policy) and you will need AdSense account too, however malicious ads in Adsense are caught faster.

Another solution is constant review of advertisements, shown in the website and website monitoring for JavaScript changes. This is not an easy task. There are many places where something might go wrong. However, if you have web property, you should keep it safe enough for your visitors or you will end in website blacklist.