News

Coming to a Windows Server 2000 Computer Near You: 'Clippy's Revenge'

"It looks like you're using me as an attack vector for hacking into a business network, would you like some help?"

That phrasing, if not the exact wording, should be instantly recognizable to anyone who's ever used the reviled -- and now defunct -- Microsoft Office help agent icon known as "Clippy." And now Clippy, whom everyone assumed with great delight was dead, could be revived as a destructive force, IT analysts and researchers learned this week.

Security experts at Symantec, VeriSign and other vendors have discovered that a "proof of concept" code exists to exploit a vulnerability for which Redmond released a "Critical" patch (Bulletin MS07-051) on Tuesday. The exploit code comes less than two days after Redmond's announcement that hackers could piggyback on "Clippy" using a specially crafted URL to penetrate a workstation hard drive or, even worse, a business network.

In IT security terms, proof of concept simply means that someone has developed new code to test the hypothesized weakness and how it can be used to hack into a system -- in this case, Windows 2000.

It's not clear at this time whether there is any malicious intent connected to the new exploit code's existence. Symantec's DeepSight threat network first alerted customers that JavaScript exploit code had been posted to the Web from somewhere inside Brazil.

"There are a number of enterprises that still use Windows 2000 and this exploit is typical of the underground, a very common way to get into the system," explains Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force. "Things like the Clippy exploit are used to install malware almost all the time."

Current users and admins running Windows 2000 and related applications should install Microsoft's critical patch quickly, as well as leveraging whatever intrusion prevention system (IPS) technology is at their disposal, adds Cross.

IT security managers will have to decide whether or not to disable ActiveX control, as VeriSign suggests, or simply restrict access to non-pertinent Web sites while patches are loading on to the system.

Neil MacDonald, Vice President of Gartner Research and a Gartner Fellow of Information Security, says there are no penalties for being too cautious. He adds that it's fortunate that the "Clippy" exploit code doesn't represent a "zero day" attack, meaning the code didn't spring up before Microsoft released the patch.

"What you tend to look for with the 'proof of concept' versus something that is in the wild, is how the exploit code progresses," MacDonald said. "In this instance you watch out for code variants, monitor how it spreads and how the code evolves."

Eric Schultze, chief security architect at Saint Paul, Minn.-based Shavlik Technologies, calls the exploit "Clippy's Revenge." He said the scary thing is that "users and administrators don't even have to see the Clippy icon to get their system hacked Just be vigilant around your enterprise and take all the 'critical' patches seriously."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Microsoft Rolls Out SQL Server 2019 RC1

    The first release candidate of the forthcoming SQL Server 2019 product can now be downloaded from Microsoft's Evaluation Center page.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Microsoft, Tech Leaders Back Confidential Computing Consortium

    The Linux Foundation on Wednesday announced the formation of a new group that aims to ensure the security of processed data.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.