As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer.
Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE.
Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn't actively developing it and only rarely shipped security updates, usually only when attacked by threat actors.
All were bugs exploited by nation-state actors, for which Microsoft had to hurry to ship patches [1, 2]. Once patched, proof-of-concept code was also published on GitHub, and these vulnerabilities also quickly entered the arsenal of exploit kit developers [1, 2].
Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default.
According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code.
Details on how this can be done are available below, as taken from Microsoft's documentation.
- Click Start, click Run, type regedt32 or regedit, and then click Ok.
- To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:
To disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:
- Right-click the appropriate registry subkey, and then click Modify.
- In the Edit DWORD (32-bit) Value dialog box, type 3.
- Click OK, and then restart Internet Explorer.