News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – VBscript gets disabled

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – VBscript gets disabled

    Tagged: 

    This topic contains 10 replies, has 7 voices, and was last updated by  southieguy 12 hours, 38 minutes ago.

    • Author
      Posts
    • #1902677 Reply

      Susan Bradley
      AskWoody MVP

      Stumbled across this tonight and I’m not sure if it’s been discussed. https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-interne
      [See the full post at: Patch Lady – VBscript gets disabled]

      Susan Bradley Patch Lady

      2 users thanked author for this post.
    • #1902919 Reply

      abbodi86
      AskWoody_MVP

      https://www.askwoody.com/forums/topic/ms-defcon-4-time-to-get-the-july-2019-patches-installed/#post-1901530

      They didn’t announce it beforehand to get a chance to discuss it

      • This reply was modified 1 week, 6 days ago by  abbodi86.
    • #1902965 Reply

      zeuswoz
      AskWoody Lounger

      Far as I know, I don’t think the original notification in 2017 was discussed.

      https://blogs.windows.com/msedgedev/2017/04/12/disabling-vbscript-execution-in-internet-explorer-11/#jOpv41Lt4oGkSAy7.97

      I only found 1 post that referred to KB4012494

      https://www.askwoody.com/forums/topic/patch-tuesday-patches-are-up/#post-107604

      IMO, its part of Microsoft’s plan to get rid of VBScript completely from Windows as I think they see it as a obsolete script language. They want you to use POSH. Also I suspect its linked to Edge changing to Chromium.

       

      Rgds, Zeus

      • This reply was modified 1 week, 6 days ago by  zeuswoz.
      1 user thanked author for this post.
    • #1903099 Reply

      anonymous

      When KB4012494 was first published in 2017, I immediately disabled IE VBscript on all my Windows 7 machines. Allowing IE to execute VBscript on Internet facing machines always sounded like a horrible idea security-wise.

      Actually, I had forgotten that I had done so until this topic resurfaced. Apparently, I suffered no ill effects by disabling VBscript, or at least none that I observed or was aware of.

      Long overdue to make this the default in IE 11 – better late than never I suppose.

      – Carl –

      • #1903465 Reply

        mn–
        AskWoody Lounger

        Allowing IE to execute VBscript on Internet facing machines always sounded like a horrible idea security-wise.

        Well it did have a number of “arbitrary code execution via crafted web page” and other vulnerabilities over the years, so have to concur based on that only.

        (Not that the concept would be limited to VBScript and IE, but… )

    • #1903444 Reply

      anonymous

      KB4510979, the second cumulative update for IE11 in July, the one that fixes the Windows-Eyes screen reader app error, also disables VBScript by default in the Internet and Restricted sites zones.

      1 user thanked author for this post.
    • #1903490 Reply

      anonymous

      It shouldn’t only be disabled in IE, because it can still be triggered by rogue email attachments.
      Things like .vbs .mht. js etcetera can easily be ‘disabled’ system wide by forcing Windows to open them by default with Notepad.

      Is an old trick, which people here probably already know.

      • #1903616 Reply

        JohnFDoe
        AskWoody Lounger

        It is important to note that there are still administrative (local/lan) scripts written in VBScript, just like there are scripts in JavaScript, batch, Python, Perl, PowerShell etc.

        So killing VBScript systemwide will be a highly destructive “update” of the kind that causes people to go Group B or W.

        However killing the general “code and script execution by mail” issues would be really good. The oldest such bug is the misleading display of file names with double extensions like loveletterforyou.txt.vbs due to a 1994 idea of hiding most file types.

      • #1904789 Reply

        anonymous

        I’m fairly certain that some updates still call .vbs tools, and some of the MS-released toolkits also use .vbs.

        Bit moot of a point re: malicious vbscripts.  If you’re running a version of Office newer than 2003 (maybe even 2003?) it will warn you that the file you’re trying to open is a script and not safe.  If you’re running a supported version of Windows, if you copy it from Outlook (somehow, I think it blocks this) then you still have the prompts saying the file is from the Internet and unsafe.  There’s only so much handholding that can be expected, and automation is too useful to get rid of.

        .JS runs in a sandbox in browsers but runs via scripthost on local system, I think.  Scripthost is what .vbs uses, so no difference really.  Likewise any other scripting language (Perl, Python, Powershell, Lua, etc) can be used to cause the same havoc if used maliciously, the only difference is you have to install them first.

    • #1903636 Reply

      anonymous

      The Register UK published an article today (Aug 5) about this topic. While nothing earth shattering is revealed, the tag line is catchy “Will the last IE 11 user please turn out the lights?”

      http://www.theregister.co.uk/2019/08/05/vbscript_disabled_by_default/

      – Carl –

    • #1910153 Reply

      southieguy
      AskWoody Plus

      I have an important VBScript that I liked to run from time to time on my W7 SP1 laptop.  Somewhere along the way, M_soft disabled it on my machine.

      How can I enable VBScript?  The Fixit provided in the article referenced by Susan to enable VBScript didn’t work on my machine.

      Thanks for any help provided,

      Dick-Y

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – VBscript gets disabled

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.