New Update After killing MSDT, Microsoft looks to add VBScript removal in Windows 11 23H2 (Moment 4)

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,461
Right at the end of February, Microsoft rolled out its Moment 2 update (KB5022913) and as one would expect from such a major release, the changelog was massive, detailing lots of smaller improvements and fixes. Following that, the Beta channel has moved into the new build 22624 territory (KB5023011), which means Beta users have now begun receiving Moment 3 features.

Meanwhile, over on the Dev channel, Windows Insiders are getting a taste of features and changes that should be in the Moment 4 Update. It is expected that Moment 4 will release in the second half of 2023 and will be the Windows 11 version 23H2 feature update. The latest Dev build 25309 brings in many big changes, including a move to WinUI 3 from WinUI 2, a new OOBE, and many more improvements. The previously leaked volume mixer is also available now.

Aside from these announced features, build 25309 also has some unannounced features too, one of which happens to be the option to uninstall VBScript. The uninstall option also cautions users about the security vulnerabilities of VBScript.

VBScript or Visual Basic Script is a legacy active scripting language and engine that has been exploited several times to spread malware, which led Microsoft to disable it inside Internet Explorer. Overall, it looks like Microsoft is trying to make the next gen Windows 11 more secure, seeing how it follows the recent official announcement of the MSDT deprecation.
 
F

ForgottenSeer 98186

Aside from these announced features, build 25309 also has some unannounced features too, one of which happens to be the option to uninstall VBScript. The uninstall option also cautions users about the security vulnerabilities of VBScript.

VBScript or Visual Basic Script is a legacy active scripting language and engine that has been exploited several times to spread malware, which led Microsoft to disable it inside Internet Explorer. Overall, it looks like Microsoft is trying to make the next gen Windows 11 more secure, seeing how it follows the recent official announcement of the MSDT deprecation.

It's dead Jim! It's dead!

2023-03-03 16_30_48-Flashback Express.png


But it is much more secure to simply disable Windows Scripting Host because it can still execute .js, .jse, .wsf, .wsh scripts.

Microsoft has offered the option to disable wscript.exe on any version or edition of Windows for years by setting these two registry keys:


Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\

Create (if it doesn't exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\

Create (if it doesn't exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,439

Microsoft looks to add VBScript removal in Windows 11 23H2

About time, I disable it since XP. Now, lets re-evaluate PowerShell 2.0, Constrained Language does not help much, if malware can fall back to PS 2.0
But it is much more secure to simply disable Windows Scripting Host because it can still execute .js, .jse, .wsf, .wsh scripts.
To disable WSH on x64, you are supposed to use WOW6432Node as well, but I also use DisallowRun, just to be sure.
Code:
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "cscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "wscript.exe" /f
 
F

ForgottenSeer 98186

To disable WSH on x64, you are supposed to use WOW6432Node as well, but I also use DisallowRun, just to be sure.
The above 2 keys block sysnative (SysWOW64) abuse of wscript and cscript.

Perhaps there is a way to circumvent it via runspace or namespace trickery. It's possible. So your additional rules might patch that trickery. You are doubly-insured.
 
  • Like
Reactions: plat and oldschool
F

ForgottenSeer 98186

Now, lets re-evaluate PowerShell 2.0, Constrained Language does not help much, if malware can fall back to PS 2.0
It is ridiculous that Microsoft still ships Windows with PowerShell version 2.0 enabled by default.

PoSh 2.0 is a perfect example of Microsoft saying something is "deprecated" but then does not remove it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top