As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer.
The JScript scripting engine is an old component that was initially included with Internet Explorer 3.0 in 1996 and was Microsoft’s own dialect of the ECMAScript standard (the JavaScript language).
Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE.
Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn’t actively developing it and only rarely shipped security updates, usually only when attacked by threat actors.
CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674 are some of the recent JScript zero-days that Microsoft had to deal with over the past three years.
All were bugs exploited by nation-state actors, for which Microsoft had to hurry to ship patches [1, 2]. Once patched, proof-of-concept code was also published on GitHub, and these vulnerabilities also quickly entered the arsenal of exploit kit developers [1, 2].
Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default.
According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code.
Details on how this can be done are available below, as taken from Microsoft’s documentation.
Click Start, click Run, type regedt32 or regedit, and then click Ok.To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones3140D
To disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones4140D
Right-click the appropriate registry subkey, and then click Modify.In the Edit DWORD (32-bit) Value dialog box, type 3.Click OK, and then restart Internet Explorer.