The Free and Open Productivity Suite
Released: Apache OpenOffice 4.1.15

About Security, BadBunny, and Macros

23 May 2007

There has been press comment recently about the "SB/BadBunny-A" virus affecting reported by an anti-virus company.

Industry best practice would have been for the anti-virus company to report the virus to the security team before making this information public. Unfortunately this did not happen in this case. will issue a detailed analysis once a copy of the virus has been received. However, due to the volume of interest in the media, the Community would like to issue the following comments, based on the information available.

Macros are a useful part of any office suite, allowing users to automate repetitive tasks. These tasks include potentially destructive actions such as modifying and deleting files, which is why macros are of interest to virus writers.

It is possible in any capable macro language, including that used by, to write simple 'virus-like' programs. Currently, follows industry best practice to mitigate the risk. If the software detects macros in a document being opened, by default it displays a warning and will only run the macro if the user specifically agrees. In any macro-capable tool, it is essential to verify the origin and authenticity of the document before executing macros. To this end, has also included advanced digital signature capabilities.

The engineers take the security of the software very seriously, and will react promptly to any new issues. To do this, they require access to the source code for the alleged virus. From information currently available, it is unlikely that this new virus contains any novel features which would require a software patch. Technically, it is not even a virus, as it is not "self-replicating" - with's default settings, it cannot spread without user intervention.

However, the community repeats the consistent message from security experts that users should never accept files from unknown sources. For any security issue, please visit's Security Team page.

Apache Software Foundation

Copyright & License | Privacy | Contact Us | Donate | Thanks

Apache, OpenOffice, and the seagull logo are registered trademarks of The Apache Software Foundation. The Apache feather logo is a trademark of The Apache Software Foundation. Other names appearing on the site may be trademarks of their respective owners.