Skip to content
Naked Security Naked Security

Microsoft puts another nail in VBScript coffin

Listen up, VBScript fans: your favourite scripting language's days are numbered.

Listen up, VBScript fans: your favourite scripting language’s days are numbered. Microsoft has announced that it will turn off support for the language by default in pre-Windows 10 versions in its Patch Tuesday updates on 13 August.

Microsoft first began killing off VBScript in December 2016, when it deprecated it in Internet Explorer 11 displaying pages in IE11 mode. However, it still ran in webpages displayed in legacy document modes. These are display modes designed to support older versions of IE while web developers transitioned to the standards used in IE11.

The support for legacy document modes was a temporary solution, though. Those modes are deprecated in Windows 10 and the Edge browser doesn’t support them at all. In a 12 April 2017 post, Microsoft announced that it would be further stamping out VBScript in IE11 by blocking VBScript in all document modes. It added:

In subsequent Windows releases and future updates, we intend to disable VBScript execution by default in Internet Explorer 11 for websites in the Internet Zone and the Restricted Sites Zone.

Now, it is delivering on that promise. On 2 August, it announced that cumulative updates for Windows 7, 8, and 8.1 due next week will disable VBScript by default across the board. It already made that change for Windows 10 in its July 2019 cumulative update, it said.

Created in 1996, VBScript is a dynamic scripting language that Microsoft modelled on the Visual Basic programming language. Windows sysadmins could use it to automate computing tasks, although now many have switched to PowerShell. It is often used for server-side processing in web pages, typically in Microsoft Active Server Pages (ASP).

Microsoft considers VBScript a thing of the past and calls it a legacy language in its latest post. It abandoned VBScript in its Edge browser because JavaScript had become the de facto standard.

There seems little reason to use VBScript unless it is embedded in a legacy website that a company absolutely must use and for some reason can’t update. But there are definite reasons to turn it off. Attackers love VBScript, because it offers an easy way to manipulate a machine.

This doesn’t mean that you can’t use VBScript if you really have to. You can still change the settings for VBScript execution manually in IE11 in three ways. You can change it on a per-site basis by configuring the site security zone, you can alter the registry, or you can make a Group Policy change.

Microsoft also blocked activation of VBScript controls in Office 365 client applications last year.


What about VBScript for automation and administration?
I have used this for decades. It is stable and my scripts are safe from the internet. Also I only run them when my main access point is closed so some peeper can’t get in and mess anything up.
I guess I will have to learn PowerShell or JavaScript sooner than later so I can update my .hta’s and admin scripts.


The article doesn’t say it specifically, but I think this only affects client-side .vbs in browsers?
Windows itself comes with some vbs scripts for administration, such as slmgr.vbs which is used for viewing and configuring the license.


slmgr /rearm FTW :-)

I think you are right that this change won’t stop VBS programs running from the command line or via a double-click *from Windows itself*, so your stash of sysadmin script hacks that run outside the browser should still be usable (no need to port them to Powershell just yet).

But VBS that’s embedded in a web page loaded by IE, or by what Microsoft calls a WebOC (Web Browser control), won’t be executed by default any more.

As Danny points out in the article, Edge doesn’t do VBS at all anyway – Microsoft dropped it along with a bunch of other old-school stuff such as ActiveX, Browser Helper Objects and Vector Markup Language.


Thank You both for your responses!
A few of those 10+ year old scripts are still good for for quick and easy admin using the Command Prompt on my little home network.


How long before Microsoft considers WinAPI a thing of the past and calls it legacy? Attackers love WinAPI, because it offers an easy way to manipulate a machine.


Web browsing programs such as Firefox never supported VBScript, that I know of. Hence, I have never considered it to be suitable for functions in a web page. To me, this raises the question whether or not VBScript will remain a viable option, along with PHP, the related Visual Basic, and other languages used by web servers to generate web page content on the fly. Also, if VBScript remains a server option, how recently has the latest version developed? The hosting outfit for my indicated web site has shut down the server, which supported PHP, VBScript (via *.asp files), and some others. Just wondering.


I can’t imagine that hosting providers will want to continue supporting it on the server side if Microsoft isn’t giving out any more security patches.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!