OpenX has released an important security update for OpenX Source, the open source ad serving product. The downloadable ZIP archive of OpenX Source 2.8.10 was compromised to include a backdoor that would allow an attacker to upload and execute arbitrary PHP code. Compromised OpenX Source ad servers could be used in combination with various types of drive-by download, watering hole, and phishing attacks on web browsers and plug-ins.
US-CERT recommends users and administrators review the OpenX blog and forum posts and follow best practice security policies to determine if their organization is affected and take appropriate actions.
Some additional steps that users could implement to protect their web browsers include disabling or whitelisting scripts and plugins, or requiring a click-to-play option before launching an application in the browser. More information on these steps can also be found in the US-CERT publication Securing Your Web Browser.