News

Coming to a Windows Server 2000 Computer Near You: 'Clippy's Revenge'

"It looks like you're using me as an attack vector for hacking into a business network, would you like some help?"

That phrasing, if not the exact wording, should be instantly recognizable to anyone who's ever used the reviled -- and now defunct -- Microsoft Office help agent icon known as "Clippy." And now Clippy, whom everyone assumed with great delight was dead, could be revived as a destructive force, IT analysts and researchers learned this week.

Security experts at Symantec, VeriSign and other vendors have discovered that a "proof of concept" code exists to exploit a vulnerability for which Redmond released a "Critical" patch (Bulletin MS07-051) on Tuesday. The exploit code comes less than two days after Redmond's announcement that hackers could piggyback on "Clippy" using a specially crafted URL to penetrate a workstation hard drive or, even worse, a business network.

In IT security terms, proof of concept simply means that someone has developed new code to test the hypothesized weakness and how it can be used to hack into a system -- in this case, Windows 2000.

It's not clear at this time whether there is any malicious intent connected to the new exploit code's existence. Symantec's DeepSight threat network first alerted customers that JavaScript exploit code had been posted to the Web from somewhere inside Brazil.

"There are a number of enterprises that still use Windows 2000 and this exploit is typical of the underground, a very common way to get into the system," explains Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force. "Things like the Clippy exploit are used to install malware almost all the time."

Current users and admins running Windows 2000 and related applications should install Microsoft's critical patch quickly, as well as leveraging whatever intrusion prevention system (IPS) technology is at their disposal, adds Cross.

IT security managers will have to decide whether or not to disable ActiveX control, as VeriSign suggests, or simply restrict access to non-pertinent Web sites while patches are loading on to the system.

Neil MacDonald, Vice President of Gartner Research and a Gartner Fellow of Information Security, says there are no penalties for being too cautious. He adds that it's fortunate that the "Clippy" exploit code doesn't represent a "zero day" attack, meaning the code didn't spring up before Microsoft released the patch.

"What you tend to look for with the 'proof of concept' versus something that is in the wild, is how the exploit code progresses," MacDonald said. "In this instance you watch out for code variants, monitor how it spreads and how the code evolves."

Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, calls the exploit "Clippy's Revenge." He said the scary thing is that "users and administrators don't even have to see the Clippy icon to get their system hacked Just be vigilant around your enterprise and take all the 'critical' patches seriously."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.