News

Coming to a Windows Server 2000 Computer Near You: 'Clippy's Revenge'

"It looks like you're using me as an attack vector for hacking into a business network, would you like some help?"

That phrasing, if not the exact wording, should be instantly recognizable to anyone who's ever used the reviled -- and now defunct -- Microsoft Office help agent icon known as "Clippy." And now Clippy, whom everyone assumed with great delight was dead, could be revived as a destructive force, IT analysts and researchers learned this week.

Security experts at Symantec, VeriSign and other vendors have discovered that a "proof of concept" code exists to exploit a vulnerability for which Redmond released a "Critical" patch (Bulletin MS07-051) on Tuesday. The exploit code comes less than two days after Redmond's announcement that hackers could piggyback on "Clippy" using a specially crafted URL to penetrate a workstation hard drive or, even worse, a business network.

In IT security terms, proof of concept simply means that someone has developed new code to test the hypothesized weakness and how it can be used to hack into a system -- in this case, Windows 2000.

It's not clear at this time whether there is any malicious intent connected to the new exploit code's existence. Symantec's DeepSight threat network first alerted customers that JavaScript exploit code had been posted to the Web from somewhere inside Brazil.

"There are a number of enterprises that still use Windows 2000 and this exploit is typical of the underground, a very common way to get into the system," explains Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force. "Things like the Clippy exploit are used to install malware almost all the time."

Current users and admins running Windows 2000 and related applications should install Microsoft's critical patch quickly, as well as leveraging whatever intrusion prevention system (IPS) technology is at their disposal, adds Cross.

IT security managers will have to decide whether or not to disable ActiveX control, as VeriSign suggests, or simply restrict access to non-pertinent Web sites while patches are loading on to the system.

Neil MacDonald, Vice President of Gartner Research and a Gartner Fellow of Information Security, says there are no penalties for being too cautious. He adds that it's fortunate that the "Clippy" exploit code doesn't represent a "zero day" attack, meaning the code didn't spring up before Microsoft released the patch.

"What you tend to look for with the 'proof of concept' versus something that is in the wild, is how the exploit code progresses," MacDonald said. "In this instance you watch out for code variants, monitor how it spreads and how the code evolves."

Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, calls the exploit "Clippy's Revenge." He said the scary thing is that "users and administrators don't even have to see the Clippy icon to get their system hacked Just be vigilant around your enterprise and take all the 'critical' patches seriously."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus