Cyber security news for all

More

    Microsoft’s Pivot to the Future: Bidding Farewell to VBScript in Favor of JavaScript and PowerShell

    On Wednesday, Microsoft delineated its intention to phase out Visual Basic Script (VBScript) by the latter half of 2024, favoring more sophisticated alternatives such as JavaScript and PowerShell.

    “Technological advancements have given rise to more powerful and versatile scripting languages like JavaScript and PowerShell,” stated Microsoft Program Manager Naveen Shankar. “These languages offer broader capabilities and are better suited for contemporary web development and automation tasks.”

    The tech titan initially announced its gradual deprecation of VBScript in October 2023.

    First introduced by Microsoft in 1996 as a Windows system component, VBScript—also known as Visual Basic Scripting Edition—enabled users to automate tasks and create interactive web pages using Internet Explorer and Edge (in Internet Explorer mode).

    The deprecation strategy comprises three phases. The first phase will commence in the second half of 2024, at which point VBScript will be available as an on-demand feature in Windows 11 24H2.

    In the second phase, expected to begin around 2027, VBScript will remain on-demand but will no longer be enabled by default. Ultimately, VBScript is set to be fully retired and expunged from the Windows operating system at an undetermined future date.

    “This implies the removal of all dynamic link libraries (.dll files) associated with VBScript,” Shankar elaborated. “Consequently, projects dependent on VBScript will cease to function. By then, we anticipate that users will have transitioned to the recommended alternatives.”

    This development closely follows Microsoft’s confirmation of its plans to deprecate NT LAN Manager (NTLM) in Windows 11 later this year in favor of Kerberos for authentication.

    Both NTLM and VBScript have been exploited by threat actors for malicious purposes, prompting Microsoft to eliminate these features to minimize the attack surface.

    Additionally, Microsoft has disabled Excel 4.0 (XLM) macros and Visual Basic for Applications (VBA) macros, blocked XLL add-ins, and introduced features to prevent users from opening risky file extensions in OneNote.

    Microsoft Faces Scrutiny Over Recall

    The news of VBScript’s deprecation coincides with criticism regarding Microsoft’s recently unveiled artificial intelligence (AI)-powered Recall feature, which raises privacy concerns and potentially undermines Windows security.

    Recall is marketed as an “explorable timeline of your PC’s past,” allowing users to “virtually access what you have seen or done on your PC as if you had photographic memory.” Currently, it is available only on Copilot+ PCs.

    Microsoft’s documentation reveals that Recall periodically captures snapshots of the user’s active window and stores them locally. It employs screen segmentation and image recognition to extract insights from these snapshots, saving the data in a semantic index.

    Third-party app developers can utilize this feature by enabling users to semantically search these saved snapshots and access content related to their applications.

    Microsoft emphasizes that Recall processes content locally on the device and that snapshots are encrypted using Device Encryption or BitLocker. It assures that snapshots are not shared with other users signed into Windows on the same device.

    “Recall does not save content from private browsing sessions in Microsoft Edge, Google Chrome, or other Chromium-based browsers,” the company stated. “It treats DRM-protected content similarly.”

    However, Recall does not perform content moderation, meaning it does not obscure sensitive information in confidential documents or passwords entered on websites that do not adhere to standard internet protocols.

    The U.K. Information Commissioner’s Office (ICO) has contacted Microsoft to understand the safeguards in place to protect user privacy.

    “We expect transparency from organizations regarding data usage and mandate that personal data processing is confined to necessary purposes,” the ICO stated. “Industries must consider data protection from the outset, rigorously assessing and mitigating risks to individuals’ rights and freedoms before launching products.”

    Security researcher Kevin Beaumont likened Recall to a “keylogger embedded in Windows,” cautioning that inadequate safety measures could allow already compromised systems to have snapshots and valuable information stolen by malicious actors.

    “With Recall, a malicious hacker can access the indexed database and screenshots as soon as they compromise a system, obtaining up to three months of history by default,” Beaumont warned.

    Recent Articles

    Related Stories