Microsoft says that customers can now disable JScript (JScript.dll) execution in Internet Explorer 11 after installing the Windows October 2020 monthly security updates.
JScript is a legacy Microsoft implementation of the ECMAScript language specification in the form of an Active Scripting engine.
Adding an option to disable JScript’s execution is a huge security improvement since it allows IT admins to provide users with a more secure browsing experience across enterprise environments where IE11 is still the web browser of choice for legacy software solutions.
“Blocking Jscript helps protect against malicious actors targeting the JScript scripting engine while maintaining user productivity as core services continue to function as usual,” Microsoft explains.
How to disable JScript
First of all, to be able to disable JScript execution in Internet Explorer you will first have to install the IE Cumulative security update released in April 2017 (or a newer one).
Additionally, before toggling off IE JScript execution on Windows 8, Windows 8.1, and Windows 10 versions 1507 up to 1709, it must be enabled using an Internet feature control key — instructions on how to configure such a key are available here.
To manually toggle off IE JScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone, you need to go through the following procedure:
- Click Start, click Run, type regedt32 or regedit, and then click Ok.
- To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:
To disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:
- Right-click the appropriate registry subkey, and then click Modify.
- In the Edit DWORD (32-bit) Value dialog box, type 3.
- Click OK, and then restart Internet Explorer.
After this, Internet Explorer will no longer run JScript from sites using IE legacy document modes (IE9 and earlier versions), as well as on those that are in the Internet Zone or Restricted Sites Zone.
To re-enable JScript execution for one or both security sones, you will have to set the value of the corresponding registry subkey to 0 and to restart Internet Explorer for the change to be applied.
JScript can also be blocked from executing scripts for emulated apps (including 32-bit programs running on 64-bit machines) by following the steps available in this advisory.
JScript and zero-day security vulnerabilities
Two actively exploited zero-day vulnerabilities were found in the JScript scripting engine and patched by Microsoft since September 2019.
Both of them were remote code execution (RCE) scripting engine memory corruption vulnerabilities stemming from the way the scripting engine handled objects in memory in Internet Explorer 9, 10, and 11.
CVE-2019-1367 was reported in September 2019 and CVE-2020-0674 in January 2020 by Clément Lecigne of Google’s Threat Analysis Group.
The two zero-days were actively exploited in targeted attacks and, according to Microsoft, if the currently logged on user has administrative permissions on a compromised device, attackers could take over the system after successful exploration, installing programs and manipulating data, as well as creating rogue accounts with full user rights.
Attackers could also exploit the zero-days using a maliciously crafted website that will remotely execute commands on the visitor’s computer without their knowledge or permission when visited using a vulnerable Internet Explorer version.
“Microsoft will continue to provide security updates for JScript via the latest cumulative updates for Windows 10, and Cumulative Updates for Internet Explorer 11 or Monthly Rollups for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard,” Microsoft says.
“If you have automatic updates enabled, updates will be automatically downloaded and installed on your users’ devices. If you have disabled automatic updates for your organization, you will need to check for updates and install them manually.”