Clippy Has a Dark Side, Microsoft Says

Clippy, the Microsoft Office Assistant, has inspired a range of feelings from annoyance to outright loathing since arriving in 1997. Microsoft Corp. now says Clippy may be a dangerous security hole; since the Office Assistant is Active X enabled, it can act as a back door for malicious users. Microsoft has released a patch, which it says eliminates the security issues.

The Office Assistant, which defaults as a helpful paper clip animation, aids new users in taking advantage of Office’s full functionality. The Office Assistant has the ability to perform any Office task, helping users perform simple tasks with an intuitive interface.

Clippy’s scripting capabilities allows ambitious administrators to create custom macros for new users. Microsoft ( Active X scripting in Office 2000’s Office Assistant, unintentionally creating the security issue. Active X is a protocol allowing greater scripting functionality on the Internet. Because of the unlimited functionality of the Office Assistant, malicious web administrators could potentially write scripts for the Office Assistant to perform destructive tasks.

One potential use of the Office Assistant is launching destructive macros or Visual Basic scripts. The “love bug” worm was a Visual Basic script.

Ever since Clippy debuted with Office 97, some users have been frustrated and annoyed with the automated, dumbed down help feature. Magazines have even offered technical advice on getting rid of the box. Posters on the Slashdot message board ( had mixed feelings about the revelations.

“Just what we need. The stupid 3D paper clip jumps up and tells you it loves you,” wrote one reader, referring to the recent “love bug” worm. Other posters had suggestions for creative uses of the security hole: “It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary,” wrote another Slashdotter.

Active X is a safe technology, according to Microsoft, who attributes the back door to human error. The patch prevents Active X control of the Office Assistant via the web. The patch is available at: -Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.