Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer
Will the last IE 11 user please turn out the lights?
Microsoft is dealing with the seemingly never-ending dribble of security problems with VBScript by muffling its cries. In Internet Explorer 11, at least.
The browser gang had already deprecated the tech in Internet Explorer 11 unless you really, really wanted it but, as of July, upped the ante by disabling it by default for Untrusted Zones for Windows 10. By 13 August, Windows 7, 8 and 8.1 will follow suit, thanks to a cumulative update.
If you absolutely must have VBScript for that shonky old site that should have been retired aeons ago, the legacy scripting language can still be re-enabled per Site Security Zone, via a Registry hack or via Group Policy, but the message is clear: Microsoft would dearly like you to stop using it in your sites. Now.
Microsoft first began its repeated attempts to axe the tech four years ago, with the arrival of Windows 10 and the ultimately doomed Edge browser. At the time, the company was keen to trumpet the removal of tech like ActiveX and VBScript from its Internet Explorer replacement.
However, Microsoft is all about backwards compatibility, and VBScript limped on in Legacy Document Mode in Internet Explorer 11 while Edge singularly failed to set to world alight. Two years ago, Microsoft gave users the ability to block VBScript execution for all document modes but still the limpet-like engine clung on.
So now it will be disabled by default for IE11 and WebOCs (Web Object Controls, aka embedded IE) for internet and Untrusted zones – which likely means that on trusted sites (and probably intranet), it will be enabled.
Unsurprisingly for the Microsoft of the era, it was also not to be found in competing browsers – after all, the lead of Internet Explorer at the beginning of the new millennium seemed unassailable.
Thankfully, the number of websites using VBScript in the browser declined with Internet Explorer's market share, although the tech has retained a toehold in the server world of Active Server Pages (ASP) – Microsoft's ancient web application technology pre-dating .NET.
The engine has also continued making news for all the wrong reasons thanks to the likes of remote code execution vulnerabilities, allowing miscreants to do all manner of unsavoury deeds with carefully crafted web pages.
While the engine itself will continue to live on in the enterprise – there are lines and lines of the stuff used to glue legacy systems together and automate all manner of processes – its demise by default in Internet Explorer 11 can be filed under "about time too". ®