• Patch Lady – VBscript gets disabled

    Home » Forums » Newsletter and Homepage topics » Patch Lady – VBscript gets disabled

    Tags:

    Author
    Topic
    Susan Bradley
    Manager
    August 4, 2019 at 12:40 am #1902677

    Stumbled across this tonight and I’m not sure if it’s been discussed. https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-interne
    [See the full post at: Patch Lady – VBscript gets disabled]

    Susan Bradley Patch Lady/Prudent patcher

    2 users thanked author for this post.
    woody, FakeNinja
    Reply | Quote
    Viewing 6 reply threads
    Author
    Replies
    • abbodi86
      AskWoody_MVP
      August 4, 2019 at 4:17 am #1902919
      • This reply was modified 5 years, 9 months ago by abbodi86.
      Reply | Quote
    • zeuswoz
      AskWoody Lounger
      August 4, 2019 at 5:51 am #1902965

      Far as I know, I don’t think the original notification in 2017 was discussed.

      https://blogs.windows.com/msedgedev/2017/04/12/disabling-vbscript-execution-in-internet-explorer-11/#jOpv41Lt4oGkSAy7.97

      I only found 1 post that referred to KB4012494

      https://www.askwoody.com/forums/topic/patch-tuesday-patches-are-up/#post-107604

      IMO, its part of Microsoft’s plan to get rid of VBScript completely from Windows as I think they see it as a obsolete script language. They want you to use POSH. Also I suspect its linked to Edge changing to Chromium.

       

      Rgds, Zeus

      • This reply was modified 5 years, 9 months ago by zeuswoz.
      1 user thanked author for this post.
      WildBill
      Reply | Quote
    • anonymous
      Guest
      August 4, 2019 at 11:20 am #1903099

      When KB4012494 was first published in 2017, I immediately disabled IE VBscript on all my Windows 7 machines. Allowing IE to execute VBscript on Internet facing machines always sounded like a horrible idea security-wise.

      Actually, I had forgotten that I had done so until this topic resurfaced. Apparently, I suffered no ill effects by disabling VBscript, or at least none that I observed or was aware of.

      Long overdue to make this the default in IE 11 – better late than never I suppose.

      – Carl –

      Reply | Quote
      • mn–
        AskWoody Lounger
        August 5, 2019 at 6:30 am #1903465
        anonymous wrote:

        Allowing IE to execute VBscript on Internet facing machines always sounded like a horrible idea security-wise.

        Well it did have a number of “arbitrary code execution via crafted web page” and other vulnerabilities over the years, so have to concur based on that only.

        (Not that the concept would be limited to VBScript and IE, but… )

        Reply | Quote
    • anonymous
      Guest
      August 5, 2019 at 6:06 am #1903444

      KB4510979, the second cumulative update for IE11 in July, the one that fixes the Windows-Eyes screen reader app error, also disables VBScript by default in the Internet and Restricted sites zones.

      1 user thanked author for this post.
      woody
      Reply | Quote
    • anonymous
      Guest
      August 5, 2019 at 7:19 am #1903490

      It shouldn’t only be disabled in IE, because it can still be triggered by rogue email attachments.
      Things like .vbs .mht. js etcetera can easily be ‘disabled’ system wide by forcing Windows to open them by default with Notepad.

      Is an old trick, which people here probably already know.

      Reply | Quote
      • JohnFDoe
        AskWoody Lounger
        August 5, 2019 at 10:33 am #1903616

        It is important to note that there are still administrative (local/lan) scripts written in VBScript, just like there are scripts in JavaScript, batch, Python, Perl, PowerShell etc.

        So killing VBScript systemwide will be a highly destructive “update” of the kind that causes people to go Group B or W.

        However killing the general “code and script execution by mail” issues would be really good. The oldest such bug is the misleading display of file names with double extensions like loveletterforyou.txt.vbs due to a 1994 idea of hiding most file types.

        Reply | Quote
      • anonymous
        Guest
        August 7, 2019 at 3:43 pm #1904789

        I’m fairly certain that some updates still call .vbs tools, and some of the MS-released toolkits also use .vbs.

        Bit moot of a point re: malicious vbscripts.  If you’re running a version of Office newer than 2003 (maybe even 2003?) it will warn you that the file you’re trying to open is a script and not safe.  If you’re running a supported version of Windows, if you copy it from Outlook (somehow, I think it blocks this) then you still have the prompts saying the file is from the Internet and unsafe.  There’s only so much handholding that can be expected, and automation is too useful to get rid of.

        .JS runs in a sandbox in browsers but runs via scripthost on local system, I think.  Scripthost is what .vbs uses, so no difference really.  Likewise any other scripting language (Perl, Python, Powershell, Lua, etc) can be used to cause the same havoc if used maliciously, the only difference is you have to install them first.

        Reply | Quote
    • anonymous
      Guest
      August 5, 2019 at 11:45 am #1903636

      The Register UK published an article today (Aug 5) about this topic. While nothing earth shattering is revealed, the tag line is catchy “Will the last IE 11 user please turn out the lights?”

      http://www.theregister.co.uk/2019/08/05/vbscript_disabled_by_default/

      – Carl –

      Reply | Quote
    • southieguy
      AskWoody Plus
      August 17, 2019 at 7:37 am #1910153

      I have an important VBScript that I liked to run from time to time on my W7 SP1 laptop.  Somewhere along the way, M_soft disabled it on my machine.

      How can I enable VBScript?  The Fixit provided in the article referenced by Susan to enable VBScript didn’t work on my machine.

      Thanks for any help provided,

      Dick-Y

      Reply | Quote
    Viewing 6 reply threads
    Reply To: Patch Lady – VBscript gets disabled

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.