Clippy Has a Dark Side, Microsoft Says
Once just annoying, Microsoft Corp. now says Clippy, the animated Microsoft Office Assistant, may be a dangerous security hole. Redmond recently issued a patch to guard against malicious use of Clippy.
Since the Office Assistant is Active-X-enabled, it can act as a back door for malicious users. The patch disables Active X functionality in Clippy.
The Office Assistant, which defaults as a helpful paper clip animation, helps new users take advantage of Office’s full functionality. The Office Assistant has the ability to perform any Office task, helping users perform simple tasks with an intuitive interface.
Clippy’s scripting capabilities allow ambitious administrators to create custom macros for new users. Microsoft (www.microsoft.com) enabled Active X scripting in Office 2000’s Office Assistant, unintentionally creating the security issue. Active X is a protocol that allows greater scripting functionality on the Internet. Because of the unlimited functionality of the Office Assistant, malicious users could potentially write scripts for the Office Assistant to perform destructive tasks.
One possibility is the use of the Office Assistant to launch destructive macros or Visual Basic scripts. The ILOVEYOU worm, for example, was a Visual Basic script.
Since Clippy debuted with Office 97, some users have been frustrated and annoyed with the automated, dumbed-down help feature.
The Clippy patch was the third security patch Microsoft released during the week of May 14. Unlike the other patches, Clippy provided a source of humor for security minded users. Posters on the Slashdot message board (www.slashdot.org) seized upon the opportunity, and played off of the widespread loathing of Clippy.
"Just what we need. The stupid 3-D paper clip jumps up and tells you it loves you," wrote one reader, referring to the recent "love bug" worm.
Active X is a safe technology, according to Microsoft. Redmond attributes the back door to human error -- a Microsoft employee unaware of Clippy’s broad functionality marked the tool "safe for scripting." The patch prevents Active X control of the Office Assistant via the Web. The patch is available at www.microsoft.com/technet/security/bulletin/fq00-034.asp.