Microsoft added a new feature to Windows this month that allows system administrators to disable the JScript component in Internet Explorer.
Let me remind you that the JScript scripting engine is an old component that was originally added to Internet Explorer 3.0 back in 1996 and was Microsoft's own variation of the ECMAScript standard. The development of JScript has long been discontinued, and in 2009, with the release of Internet Explorer 8.0, the component was declared deprecated, but the engine itself is still present in all versions of Windows as a legacy component.
For a long time, cybercriminals realized that they could use JScript in their attacks, since Microsoft rarely releases security updates for it (as a rule, only after active hacker attacks). For example, vulnerabilities CVE-2018-8653, CVE-2019-1367, CVE-2019-1429 and CVE-2020-0674 Are just a few of the 0-day JScript bugs that Microsoft engineers have had to deal with over the past three years.
All of these vulnerabilities were exploited by serious hacking teams and government hack groups, and Microsoft had to rush to release urgent patches (1, 2). However, after the patches were released, PoC exploits were freely published on GitHub, as is usually the case, and vulnerabilities quickly entered the arsenal of exploit kit developers (1, 2).
As a result, 11 years after the end of support for JScript, Microsoft finally decided to let sysadmins disable JScript execution by default. The October patches introduced new registry keys that administrators can use to block jscript.dll from executing code.
Detailed instructions on how to do this can be found in Microsoft documentation…