Microsoft is phasing out VBScript in Windows to improve security
Microsoft announced plans to deprecate Visual Basic Script (VBScript) support in its Windows operating system. The company introduced VBScript, which is modeled on Visual Basic, in 1996. Web developers were the initial target of the scripting language, but it soon gained popularity with Windows administrators. Administrators used VBScript to automate tasks on Windows. Malware developers started to use the scripting language as well in their attacks, for instance to infect systems with the infamous I Love You worm.
Microsoft included VBScript in Internet Explorer, its first major web browser. Internet Explorer is no longer supported in most versions of Windows and Microsoft disabled VBScript in IE some time ago as well.. VBScript itself has been pushed aside by Microsoft's .NET framework and it has been supported with bug fixes and security fixes only for a long time.
The deprecation message on Microsoft's website provides the following information: "VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system."
Microsoft doesn't provide a timeline at this point. VBScript is turned into an optional feature for Windows in "future releases" and it will continue to be enabled by default in the beginning. Eventually, Microsoft will flip a switch to make VBScript an optional component that is no longer enabled by default before removing the functionality entirely from Windows.
Windows administrators may list optional features in the Settings app. An easy way to get there is to open Start, type optional features and select the manage optional features item that is returned. Windows lists all optional feature that are installed on the page. The "add a feature" button displays all available features that are not installed at the time.
Disabling VBScript removes the attack vector
Microsoft offers no reason for disabling VBScript. Clearly, deprecation VBScript will improve security as attackers can't use .vbs scripts anymore in their attacks. While there are plenty of alternatives available, plugging one attack vector is better than nothing.
Bleeping Computer, which discovered the information, also believe that Microsoft is doing this primarily to improve security. VBScript is still used in malware attacks up to this day.
Once VBSCript is added to the optional features, Windows users may disable the feature in the Settings app. An option to disable the Windows Scripting Host to block .vbs malware is also available already.
