November 21, 2024
The End of an Era: Microsoft Phases Out VBScript for JavaScript and PowerShell
Microsoft on Wednesday outlined its plans to deprecate Visual Basic Script (VBScript) in the second half of 2024 in favor of more advanced alternatives such as JavaScript and PowerShell. "Technology has advanced over the years, giving rise to more powerful and versatile scripting languages such as JavaScript and PowerShell," Microsoft Program Manager Naveen Shankar said. "These languages

May 23, 2024NewsroomEndpoint Security / Data Privacy

Microsoft on Wednesday outlined its plans to deprecate Visual Basic Script (VBScript) in the second half of 2024 in favor of more advanced alternatives such as JavaScript and PowerShell.

“Technology has advanced over the years, giving rise to more powerful and versatile scripting languages such as JavaScript and PowerShell,” Microsoft Program Manager Naveen Shankar said. “These languages offer broader capabilities and are better suited for modern web development and automation tasks.”

The tech giant originally announced its plans to gradually sunset VBScript in October 2023.

The scripting language, also called Visual Basic Scripting Edition, was first introduced by Microsoft in 1996 as a Windows system component, offering users the ability to automate tasks and develop interactive web pages using Internet Explorer and Edge (in Internet Explorer mode).

The announced deprecation plan consists of three phases, with the first phase kicking off in the second half of 2024, at which point VBScript will be available as an on-demand feature in Windows 11 24H2.

The second phase, which is expected to commence around 2027, will still have the feature on-demand, but will no longer be enabled by default. VBScript is expected to be fully retired and eliminated from the Windows operating system at some undetermined date in the future.

“This means all the dynamic link libraries (.dll files) of VBScript will be removed,” Shankar said. “As a result, projects that rely on VBScript will stop functioning. By then, we expect that you’ll have switched to suggested alternatives.”

The development comes days after Microsoft confirmed its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the second half of the year in favor of Kerberos for authentication.

Both NTLM and VBScript are known to be abused by threat actors to conduct malicious activities, prompting Redmond to remove features in an attempt to minimize the attack surface.

Microsoft has since also disabled Excel 4.0 (XLM) macros and Visual Basic for Applications (VBA) macros, blocked XLL add-ins, and rolled out the ability to prevent users from opening risky file extensions in OneNote.

Microsoft Runs into Hot Water with Recall

News of the VBScript deprecation also follows criticism that Microsoft’s newly announced artificial intelligence (AI)-powered Recall feature poses privacy concerns and undermines Windows security.

Recall has been advertised as an “explorable timeline of your PC’s past” and a way for users to “access virtually what you have seen or done on your PC in a way that feels like having photographic memory.” It’s currently only available on Copilot+ PCs.

According to Microsoft’s own documentation, the Recall system component periodically saves snapshots of the user’s active window and stores them locally. It then makes use of screen segmentation and image recognition to extract insights from them and saves the data in a semantic index.

Third-party app developers can also leverage this feature by offering users the ability to semantically search these saved snapshots and surface content related to their applications.

Microsoft has been quick to emphasize that Recall processes the content locally on the device and that snapshots are encrypted by Device Encryption or BitLocker. It also notes that snapshots are not shared with other users who are signed into Windows on the same device.

“Recall won’t save any content from your private browsing activity when you’re using Microsoft Edge, Google Chrome, or other Chromium-based browsers,” the company said. “Recall treats material protected with digital rights management (DRM) similarly.”

But one crucial caveat with Recall is that it does not perform content moderation, meaning it will not obscure content present in confidential documents or sensitive information such as passwords or financial account numbers entered on websites that do not follow standard internet protocols like cloaking password entry.

The U.K. Information Commissioner’s Office (ICO) said it’s in contact with Microsoft to understand what safeguards are in place to protect user privacy.

“We expect organizations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose,” the ICO said.

“Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples’ rights and freedoms before bringing products to market.”

Security researcher Kevin Beaumont described Recall as a “keylogger […] baked into Windows” and that the lack of safety guardrails could allow threat actors that have already compromised a system through other means to steal snapshots and gather valuable information.

“With Recall, as a malicious hacker you will be able to take the handily indexed database and screenshots as soon as you access a system — including 3 months history by default,” Beaumont said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.