Microsoft puts another nail in VBScript coffin

Listen up, VBScript fans: your favourite scripting language’s days are numbered. Microsoft has announced that it will turn off support for the language by default in pre-Windows 10 versions in its Patch Tuesday updates on 13 August.

Microsoft first began killing off VBScript in December 2016, when it deprecated it in Internet Explorer 11 displaying pages in IE11 mode. However, it still ran in webpages displayed in legacy document modes. These are display modes designed to support older versions of IE while web developers transitioned to the standards used in IE11.

The support for legacy document modes was a temporary solution, though. Those modes are deprecated in Windows 10 and the Edge browser doesn’t support them at all. In a 12 April 2017 post, Microsoft announced that it would be further stamping out VBScript in IE11 by blocking VBScript in all document modes. It added:

In subsequent Windows releases and future updates, we intend to disable VBScript execution by default in Internet Explorer 11 for websites in the Internet Zone and the Restricted Sites Zone.

Now, it is delivering on that promise. On 2 August, it announced that cumulative updates for Windows 7, 8, and 8.1 due next week will disable VBScript by default across the board. It already made that change for Windows 10 in its July 2019 cumulative update, it said.

Created in 1996, VBScript is a dynamic scripting language that Microsoft modelled on the Visual Basic programming language. Windows sysadmins could use it to automate computing tasks, although now many have switched to PowerShell. It is often used for server-side processing in web pages, typically in Microsoft Active Server Pages (ASP).

Microsoft considers VBScript a thing of the past and calls it a legacy language in its latest post. It abandoned VBScript in its Edge browser because JavaScript had become the de facto standard.

There seems little reason to use VBScript unless it is embedded in a legacy website that a company absolutely must use and for some reason can’t update. But there are definite reasons to turn it off. Attackers love VBScript, because it offers an easy way to manipulate a machine.

This doesn’t mean that you can’t use VBScript if you really have to. You can still change the settings for VBScript execution manually in IE11 in three ways. You can change it on a per-site basis by configuring the site security zone, you can alter the registry, or you can make a Group Policy change.

Microsoft also blocked activation of VBScript controls in Office 365 client applications last year.