Microsoft: We're disabling VBScript in Windows 7, 8 to block attackers

Windows 7 and Windows 8 updates scheduled for next Patch Tuesday will disable VBScript in Internet Explorer 11.
Written by Liam Tung, Contributing Writer

Microsoft is moving ahead with its plan to eradicate VBScript from the web. On August 13, 2019, in the next Patch Tuesday update, the company will disable the technology by default on Internet Explorer 11 (IE11). 

The move will happen by way of cumulative updates for Windows 7, 8, and 8.1 in August's Patch Tuesday updates, cutting off a preferred target of North Korean hacking group DarkHotel.    

VBScript, which is based on Microsoft's Visual Basic programming language, emerged from Redmond in pre-Google 1996 as a scripting language for web developers. But it was only supported in IE on the client side. 

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

Microsoft more recently deemed VBScript totally unnecessary, along with ActiveX, because the default on the web today is JavaScript, which is supported by all major browsers.

Microsoft in 2017 deprecated VBScript in IE11 as part of a years-long effort to unhitch its browsers from the legacy scripting engine

VBScript was not supported in Microsoft Edge and has since then been restricted to specific document modes in IE11, while Windows 10 gained an option to block VBScript code executing in all scenarios

Microsoft already disabled VBScript by default for IE11 on Windows 10 in July, and on August 13 will enter the same state in IE11 on Windows 7, Windows 8, and Windows 8.1 in the August update. 

However, to support business applications, admins will have the option of enabling or disabling VBScript execution in IE11 by security zones if they need it. This can be done through Registry or Group Policy

As explained by Microsoft watcher Paul Thurrott, Microsoft stopped paying attention to VBScript as it transitioned to .NET in the 2000s and from there used Visual Basic .NET for client- and server-side development. 

In the meantime, VBScript has been a fruitful tool for hackers. It was the language used by the hacker who scraped 100 million credit card details from Target customers with the BlackPOS malware in the early 2010s.   

Ghacks remembers that VBScript was also used to create the I Love You worm from 2000, which was delivered as a .txt.vbs attachment and worked well because Windows at the time hid the extension name of attachments. After people opened the attachment, their Windows PCs would send more I Love You emails to their contact list.   

More on Microsoft, Windows, and VBScript

Editorial standards