News

Clippy Has a Dark Side, Microsoft Says

• By Scott Bekker
• 05/17/2000

The Office Assistant, which defaults as a helpful paper clip animation, aids new users in taking advantage of Office’s full functionality. The Office Assistant has the ability to perform any Office task, helping users perform simple tasks with an intuitive interface.

Clippy’s scripting capabilities allows ambitious administrators to create custom macros for new users. Microsoft (www.microsoft.com)enabled Active X scripting in Office 2000’s Office Assistant, unintentionally creating the security issue. Active X is a protocol allowing greater scripting functionality on the Internet. Because of the unlimited functionality of the Office Assistant, malicious web administrators could potentially write scripts for the Office Assistant to perform destructive tasks.

One potential use of the Office Assistant is launching destructive macros or Visual Basic scripts. The “love bug” worm was a Visual Basic script.

Ever since Clippy debuted with Office 97, some users have been frustrated and annoyed with the automated, dumbed down help feature. Magazines have even offered technical advice on getting rid of the box. Posters on the Slashdot message board (www.slashdot.org) had mixed feelings about the revelations.

“Just what we need. The stupid 3D paper clip jumps up and tells you it loves you,” wrote one reader, referring to the recent “love bug” worm. Other posters had suggestions for creative uses of the security hole: “It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary,” wrote another Slashdotter.

Active X is a safe technology, according to Microsoft, who attributes the back door to human error. The patch prevents Active X control of the Office Assistant via the web. The patch is available at: http://www.microsoft.com/technet/security/bulletin/fq00-034.asp. -Christopher McConnell