Clippy Has a Dark Side, Microsoft Says

Clippy, the Microsoft Office Assistant, has inspired a range of feelings from annoyance to outright loathing since arriving in 1997. Microsoft Corp. now says Clippy may be a dangerous security hole; since the Office Assistant is Active X enabled, it can act as a back door for malicious users. Microsoft has released a patch, which it says eliminates the security issues.

The Office Assistant, which defaults as a helpful paper clip animation, aids new users in taking advantage of Office’s full functionality. The Office Assistant has the ability to perform any Office task, helping users perform simple tasks with an intuitive interface.

Clippy’s scripting capabilities allows ambitious administrators to create custom macros for new users. Microsoft ( Active X scripting in Office 2000’s Office Assistant, unintentionally creating the security issue. Active X is a protocol allowing greater scripting functionality on the Internet. Because of the unlimited functionality of the Office Assistant, malicious web administrators could potentially write scripts for the Office Assistant to perform destructive tasks.

One potential use of the Office Assistant is launching destructive macros or Visual Basic scripts. The “love bug” worm was a Visual Basic script.

Ever since Clippy debuted with Office 97, some users have been frustrated and annoyed with the automated, dumbed down help feature. Magazines have even offered technical advice on getting rid of the box. Posters on the Slashdot message board ( had mixed feelings about the revelations.

“Just what we need. The stupid 3D paper clip jumps up and tells you it loves you,” wrote one reader, referring to the recent “love bug” worm. Other posters had suggestions for creative uses of the security hole: “It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary,” wrote another Slashdotter.

Active X is a safe technology, according to Microsoft, who attributes the back door to human error. The patch prevents Active X control of the Office Assistant via the web. The patch is available at: -Christopher McConnell

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • How To Remove the Windows 10 Action Center

    Microsoft meant well with Windows 10's Action Center, but the constant pop-up notifications are often more annoying than helpful. Here's how to get rid of them.

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.