We Are GAP Mobilize
Free Assessment Tool

VB strikes again

by John Browne, on Aug 6, 2019 2:45:57 PM

I completely missed this when it was announced in 2017 but sure didn't miss it when ZDNet published this yesterday. Microsoft is killing support for VBScript in IE11 in August's Patch Tuesday which un-ironically is on the 13th this month. We'll get to why in a minute (spoiler, it involves one of those places you really don't want to visit).

What is/was VBScript?

Let's do a quick refresher on what this is and why we care. Tim Berners-Lee gave us the World Wide Web so that we could look at cat pictures, but of course that wasn't enough. We wanted web pages that counted how many times a cat picture had been clicked on. So Microsoft added an execution context to Internet Explorer than could run the Visual Basic language runtime. Why VB? Why not?*

VBScript could be used on a web page (running inside IE) to access the Document Object Model (DOM) creating a Frankenstein coding style that mixed HTML and script code into a kind of software GORP that makes my skin crawl. The result was, among other things, that seemingly every web page in the 90s used VBScript to display the current time--in preparation, no doubt, for a catastrophic global wristwatch failure.

A little more useful was the integration of VBScript into Active Server Pages (aka classic ASP) to make things like shopping carts and product pages (via database lookup) to bring on the revolution that eventually gave us Amazon.com. And since VBScript was marginally more readable and certainly more powerful than the DOS Batch language, IT admins used it widely for various and no doubt nefarious tasks.

Net net: There was a lot of VBScript written, and a lot of it is still around causing trouble, just like your drunk uncle.

Why is Microsoft giving it the double tap?

There's a small chilly nation Over There where the only entertainment is watching reruns of Kim Jon Un's Greatest Speeches Which You Better Not Say Anything Bad About or We Might Use You For Anti-Aircraft Target Practice. Legions of bored North Korean teenagers who have no access to X-Boxes have instead filled their hours by hacking into various private and public institutions in the rest of the world, including hotel guests and politicians. They've targeted IE with malware twice in the past, and packed an IE frame running a nasty VBScript payload inside benign-looking Word docs, which were sent via email to unsuspecting targets. And supposedly the Neiman Marcus and Target hacks--yielding 110 million credit cards--was a VBScript goodie.

The Kids from Redmond already zapped auto execution of VBScript with the Windows 10 Fall Creators Update, released last year (like, in the fall, ok?). Now they're pulling the plug on the default mode for IE11. If you still hunger to get hacked by DPRK clowns, you can re-enable it with a registry entry or a group policy setting. Enjoy your new job search if you do; I hear McDonald's is hiring.

Another brick in the wall

Ah, for the golden days of the 90s, when we didn't realize a lot of our development tools were the equivalent of hanging a big sign outside the house with "Free TV! This window is unlocked." Fortunately we have JavaScript today which has a more robust execution environment and is supported on all modern browsers. Classic ASP got replaced by ASP.NET with web forms (groan) and finally modern ASP.NET and ASP.NET Core which are very nice indeed (anyway that's what we use).

If you've got some basic VBScript on web pages, you can probably just port it to JavaScript. Our own Mauricio Rojas wrote a little blog post to help you understand the differences.

VBScript is antique, old, ancient, legacy, toxic. VB6 is also old, toxic, legacy, ancient, dead. You have to assume if you have old languages or platforms still in use that they may be a vector for a malicious exploit that you just don't know about. When you DO know about it, it will be too late. But you can always kick the can down the road.

Like I said, I hear McDonald's is hiring.

*I was there at the time, and I remember a lot of corporate discussions about scripting. As different groups inside Microsoft wanted to add some kind of programmatic capability to their applications, it was clear that soon we'd have as many different scripting languages as we had apps. So since BASIC was widely known (after all, it shipped with DOS), it was declared the winner and the VB language was chosen as the anointed official version of BASIC to use for any scripting requirements. That's why it's VBScript and not CScript or MASMScript or GatesScript.

Note: This picture denotes someone who's NOT using VBScript. Note her relaxed and pleasant demeanor. ADO_1589-1



Subscribe to Mobilize.Net Blog