About Security, BadBunny, and Macros
23 May 2007
There has been press comment recently about the "SB/BadBunny-A" virus affecting OpenOffice.org reported by an anti-virus company.
Industry best practice would have been for the anti-virus company to report the virus to the OpenOffice.org security team before making this information public. Unfortunately this did not happen in this case. OpenOffice.org will issue a detailed analysis once a copy of the virus has been received. However, due to the volume of interest in the media, the Community would like to issue the following comments, based on the information available.
Macros are a useful part of any office suite, allowing users to automate repetitive tasks. These tasks include potentially destructive actions such as modifying and deleting files, which is why macros are of interest to virus writers.
It is possible in any capable macro language, including that used by OpenOffice.org, to write simple 'virus-like' programs. Currently, OpenOffice.org follows industry best practice to mitigate the risk. If the software detects macros in a document being opened, by default it displays a warning and will only run the macro if the user specifically agrees. In any macro-capable tool, it is essential to verify the origin and authenticity of the document before executing macros. To this end, OpenOffice.org has also included advanced digital signature capabilities.
The OpenOffice.org engineers take the security of the software very seriously, and will react promptly to any new issues. To do this, they require access to the source code for the alleged virus. From information currently available, it is unlikely that this new virus contains any novel features which would require a software patch. Technically, it is not even a virus, as it is not "self-replicating" - with OpenOffice.org's default settings, it cannot spread without user intervention.
However, the OpenOffice.org community repeats the consistent message from security experts that users should never accept files from unknown sources. For any security issue, please visit OpenOffice.org's Security Team page.