You can now disable JScript execution in Internet Explorer
Internet Explorer is not a huge priority anymore at Microsoft but the latest version of the web browser is still maintained by Microsoft and security patches do get released regularly. Each month, security updates are released that should be installed even if Internet Explorer is not used at all or rarely used.
Microsoft introduced an option on the October 2020 Patch Day for its products to disable the JScript component of the company's Internet Explorer browser; this is done to improve overall security according to Microsoft. The option has been implemented with organizations in mind, but nothing is keeping home Windows administrators from disabling the feature on their devices as well.
Microsoft's Benjamin Soon provides some insight on Microsoft's decision on the company's Tech Community website:
Jscript is a legacy Microsoft implementation of the ECMA 262 language specification. Blocking Jscript helps protect against malicious actors targeting the JScript scripting engine while maintaining user productivity as core services continue to function as usual.
Microsoft recommends that JScript is disabled in the Internet and Restricted Zones. The process requires Registry edits and on older systems the configuration of a feature control key.
Devices with Windows 10 version 1803 or later support the new Registry values out of the box. Here is how you restrict JScript execution in Internet Explorer, JScript from executing scripts for emulated applications, and JScript from executing scripts from MXSML3 and MSXML6.
- Use Windows-R to open the run box.
- Typ regedit and hit OK.
- Confirm the UAC prompt.
- Disabling JScript execution in the Internet Zone:
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
- Right-click on 140D and select Modify.
- Change the value to 3.
- Select OK
- Disabling JScript execution in Restricted Sites Zone:
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\
- Right-click on 140D and select Modify.
- Change the value to 3.
- Select OK
- Restrict JScript from executing scripts from emulated applications:
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
- Right-click on 140D and select New > Dword (32-bit) Value.
- Name it EnableJScriptMitigation.
- Set its value to 1.
- Click ok.
- Restrict MSXML3 and MSXML6 script execution:
- MSXML3 on 32-bit system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSXML30
- MSXML6 on 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSXML60
- MSXML3 on 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSXML30
- MSXML6 on 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSXML60
- Right-click on the keys and select New > Dword (32-bit) Value.
- Name it EnableJScriptMitigation.
- Set its value to 1.
- Click ok.
- Restart Internet Explorer.
Internet Explorer won't run JScript from sites that use Internet Explorer's legacy document modes provided that the sites are in the Internet Zone or Restricted Sites Zone. Additionally, if you set the keys under 6) and 67 above, JScript cannot be executing scripts from emulated applications or from MSXML3 and MSXML6.
You can check out Microsoft's support article for additional details.
@Martin
â€â€“ security updates are released that should be installed even if Internet Explorer *is not used at all* –.â€
Can you explain that why these updates should be installed (Internet Explorer related)? Usually it is hard to know what is important so user should install all updates. Is that what you mean?
@Martin Brinkmann or someone
Maybe you don’t have time to answer or it is hard to find new comments because the structure of this forum, if someone else knows the answer it would help. Now it is only few comments however it is a difficult to follow new comments about old news. I did mean that a regular user should install genarally all updates or these particular updates have other effects.
Never mind.
@Anonymous , there are two RSS feeds available for Ghacks,
1- Article feeds : [https://www.ghacks.net/feed/]
2- Comment feeds : [https://www.ghacks.net/comments/feed/]
Comments feeds makes it easy to “follow new comments about old news.”. I’ve happened to acknowledge/reply to latest comments on old, even very old! articles.
Of course you’ll need an RSS reader, either as an application either as a browser extension if your browser has none natively.
@Tom Hawack
Thank you for advice about RSS feed. I commented yesterday: â€Never mind†because Martin Brinkmann was busy or he didn’t notice my comments and I understood it. However he didn’t publish that proper comment.
In my opinion:
From a privacy perspective, I avoid “Microsoft and Google services†in principle.
Because that point of view, the function of “Internet Explorer” has been “disabled as much as possible” using W10Privacy etc., and “blocked” has been set in simplewall etc.
https://www.w10privacy.de/english-home/instructions-1/
https://www.henrypp.org/product/simplewall
However, I referred to this topic and took “additional measures”.
Thanks for the article.
I’d just disable IE from “Windows Features”
C:\Windows\System32\OptionalFeatures.exe
Do note this will not affect any program requiring the Trident engine, like many VPN clients do, or certain Windows features.