by Martin Brinkmann on August 05, 2019 in Internet Explorer – Last Update: August 05, 2019 – 2 comments
Microsoft announced plans in 2017 to disable VBScript in Internet Explorer 11; the company deprecated the feature but kept it alive for certain environments back then to give organizations enough time to migrate resources that use VBScript to other technologies.
VBScript, which was introduced by Microsoft more than two decades ago, is an active scripting language that is modeled on Visual Basic.
It came to some fame in 2000 when a computer worm known as the I Love You or Love Letter Virus, used it to infect systems. Users would get emails with the subject linke ILOVEYOU and an attachment LOVE-LETTER-FOR-YOU.txt.vbs. Users who opened the attachment would infect their machines with the worm.
One of the problems back then was that Windows hid the actual extension of the attachment so that many Windows users believed that it was a harmless text file.
Infected PCs would send emails using the contacts list to spread to other machines. It would furthermore configure Windows to launch itself on start of the system and modify data in computer files.
Microsoft recommended that Microsoft Internet Explorer users disable VBScript in the browser for the Internet Zone and Restricted Sizes Zone to protect the browser against attacks targeting VBScript.
Administrators and users had to disable VBScript in Internet Explorer manually at the time.
The July 2019 cumulative updates for Windows 10 disabled VBScript by default on machines running Windows 10. The coming August 2019 cumulative updates for Windows 7 Service Pack 1, Windows 8, and Windows 8.1, will do the same on these machines.
VBScript will be disabled by default for Internet Explorer 11 and WebOCs for Internet and Untrusted zones on all platforms running Internet Explorer 11.
VBScript won’t be removed at this time though. Microsoft notes that it is still possible to enable it on machines if the legacy technology is still needed.
The settings to enable or disable for VBScript execution in Internet Explorer 11 will remain configurable per site security zone, via Registry, or via Group Policy, should you still need to utilize this legacy scripting language.
A support article on the Microsoft Support website provides details on the available options. In short: administrators may turn on VBScript using the Registry, Group Policy (Enterprise only), or site security zone.
Closing Words
The disabling of VBScript is a long overdue step on the Home system and user side; organizations can still allow it on certain systems if legacy scripts are still used.
Now You: when was the last time you encountered a VBScript?