Clippy Has a Dark Side, Microsoft Says

Clippy, the Microsoft Office Assistant, has inspired a range of feelings from annoyance to outright loathing since arriving in 1997. Microsoft Corp. now says Clippy may be a dangerous security hole; since the Office Assistant is Active X enabled, it can act as a back door for malicious users. Microsoft has released a patch, which it says eliminates the security issues.

The Office Assistant, which defaults as a helpful paper clip animation, aids new users in taking advantage of Office’s full functionality. The Office Assistant has the ability to perform any Office task, helping users perform simple tasks with an intuitive interface.

Clippy’s scripting capabilities allows ambitious administrators to create custom macros for new users. Microsoft ( Active X scripting in Office 2000’s Office Assistant, unintentionally creating the security issue. Active X is a protocol allowing greater scripting functionality on the Internet. Because of the unlimited functionality of the Office Assistant, malicious web administrators could potentially write scripts for the Office Assistant to perform destructive tasks.

One potential use of the Office Assistant is launching destructive macros or Visual Basic scripts. The “love bug” worm was a Visual Basic script.

Ever since Clippy debuted with Office 97, some users have been frustrated and annoyed with the automated, dumbed down help feature. Magazines have even offered technical advice on getting rid of the box. Posters on the Slashdot message board ( had mixed feelings about the revelations.

“Just what we need. The stupid 3D paper clip jumps up and tells you it loves you,” wrote one reader, referring to the recent “love bug” worm. Other posters had suggestions for creative uses of the security hole: “It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary,” wrote another Slashdotter.

Active X is a safe technology, according to Microsoft, who attributes the back door to human error. The patch prevents Active X control of the Office Assistant via the web. The patch is available at: -Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

comments powered by Disqus
Most   Popular