Microsoft announced on Wednesday its decision to deprecate Visual Basic Script (VBScript) in the latter half of 2024, in favor of more sophisticated alternatives like JavaScript and PowerShell.
“With the advancement in technology, we now have more robust and adaptable scripting languages such as JavaScript and PowerShell,” stated Microsoft Program Manager Naveen Shankar mentioned. “These languages offer enhanced capabilities and are better suited for contemporary web development and automation tasks.”
The company initially revealed its strategy to gradually phase out VBScript in October 2023.
VBScript, also known as Visual Basic Scripting Edition, was introduced by Microsoft in 1996 as a Windows system component to allow users to automate tasks and create interactive web pages using Internet Explorer and Edge (in Internet Explorer mode).
The deprecation plan consists of three phases, with the first phase beginning in the latter half of 2024, during which VBScript will be accessible as an on-demand feature in Windows 11 24H2.
The second phase, anticipated to start around 2027, will still have the feature on-demand but will no longer be enabled by default. VBScript is set to be fully retired and removed from the Windows operating system at an unspecified future date.
“This means all the dynamic link libraries (.dll files) of VBScript will be removed,” Shankar explained. “As a result, projects relying on VBScript will cease to function. We anticipate that users will have transitioned to the recommended alternatives by then.”
Microsoft’s decision to deprecate VBScript comes shortly after confirming its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the latter half of the year in favor of Kerberos for authentication.
Both NTLM and VBScript have been known to be exploited by malicious actors to carry out harmful activities, prompting Microsoft to eliminate these features to reduce the attack surface.
Additionally, Microsoft has disabled Excel 4.0 (XLM) macros and Visual Basic for Applications (VBA) macros, blocked XLL add-ins, and introduced the option to prevent users from opening high-risk file extensions in OneNote.
Microsoft Faces Criticism over Recall
Microsoft’s decision to deprecate VBScript comes amidst criticism of its newly launched Recall feature, powered by artificial intelligence (AI), which has raised privacy concerns and security issues.
Recall has been promoted as an “explorable timeline of your PC’s past,” allowing users to “virtually access what you have seen or done on your PC in a manner that resembles having photographic memory.” Currently, it is only available on Copilot+ PCs.
According to Microsoft’s documentation, the Recall system component periodically saves snapshots of the user’s active window and stores them locally. It then employs screen segmentation and image recognition to derive insights and stores the data in a semantic index.
Third-party app developers can also utilize this feature to enable users to semantically search these saved snapshots and display related content from their applications.
Microsoft has emphasized that Recall processes content locally on the device and encrypts snapshots using Device Encryption or BitLocker. The snapshots are not shared with other users signed into Windows on the same device.
“Recall does not save any content from private browsing activities when using Microsoft Edge, Google Chrome, or other Chromium-based browsers,” the company stated. “It treats DRM-protected content in a similar manner.”
However, Recall lacks content moderation, meaning it may not obscure sensitive data like passwords or financial information entered on websites that do not follow standard internet protocols for password entry.
The U.K. Information Commissioner’s Office (ICO) is in contact with Microsoft to understand the data protection measures in place to safeguard user privacy.
“Organizations are expected to be transparent with users about their data usage and process personal data only as necessary for specific purposes,” the ICO added.
Security researcher Kevin Beaumont described Recall as a “keylogger […] integrated into Windows,” raising concerns that threat actors could exploit the feature to access valuable information from compromised systems.
“With Recall, malicious hackers can access the efficiently indexed database and snapshots immediately upon system access—up to 3 months of history by default,” Beaumont warned.