> Windows 10 Fall Creators Update, Microsoft disabled VBScript execution in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default
I'm very surprised this hasn't been done a decade ago.
At this point, it's probably safe to assume that every feature in Windows that hasn't been touched for the last decade has severe security problems. And it's not only Microsoft -- maybe their approach to backwards compatibility makes them especially vulnerable, but similar things have happened in the free software ecosystem as well. It's basically a very insidious form of bitrot.
So what's the lesson here? Aggressively remove old features, as you suggest? Rewrite everything every few years? Software has become way too complex to closely audit everything forever...
VB's evaluation order, in which the left side of an assignment is evaluated before the right side, seems like a terrible idea. In most languages including C and C++, it's specified that the RHS is evaluated first. Since, of course, the RHS might have a side effect on the location of the LHS.
Is there some advantage to LHS-first that I can't think of?
Interesting, my intuition is the opposite: that left-to-right evaluation is clearly the better approach. I just tested a few languages and it turns out that there's no clear agreed-upon answer, but LHS first seems to be more common at least for recent languages:
"=" is syntactically just a binary operator, so I expect it to behave like other binary operators (and AFAIK all other binary operators evaluate left-to-right in almost all languages). It's special because the LHS evaluates to an assignable reference rather than to a value, but nothing stops you from evaluating the left side in full before starting to evaluate the right side. As with every binary operator, it's possible to write code such that the evaluation of one side affects the result of evaluating the other side, but of course that sort of code is really fragile anyway.
including C and C++, it's specified that the RHS is evaluated first.
I did not check C++ but for C, according to ISO/IEC 9899:1999 section 6.5.16 paragraph 4 on the semantics of the assignment operator: "The order of evaluation of the operands is unspecified."
In some languages like Go that support multi assignment, evaluation of some parts of the LHS occur first to help with pointer indirection and index clause evaluation [0][1]. I assume this makes the multi assign predictable because the locations of the LHS are known before the RHS is started.
I seem to remember my university lecturer (way back in '96) demonstrating that rightmost evaluation could lead to "variable capture", but that "leftmost-outermost" evaluation would always avoid that problem.
It's been a while, however, so I might be remembering wrong (or indeed have misunderstood).
It's crazy to me to realize that there are still people employed at Microsoft who work on VBScript. I love VBScript, lots of great memories, but I don't know anyone who uses it anymore, not even VB.Net.
A lot of business line applications are still written in VB.NET. Personally, I write all of my hobby code in VB.NET since it's more or less the same as writing C# but I find VB syntax more comfortable.
There's even claims it's the fifth most popular language out there today. https://visualstudiomagazine.com/articles/2018/12/17/tiobe-v... Though there's not a lot of other parties who agree with that, on one hand, on the other hand, a shockingly large number of developers do not work in Silicon Valley, and a lot of those developers aren't using the latest JavaScript frameworks for their day-to-day jobs.
VB.NET is still taught in the GCSE (secondary school) Computer Science course in the UK. My daughters are doing it now. Fortunately they are able to run it fine in Visual Studio for Mac.
I’m teaching them a bit of a Python as well, but I’m impressed with the material they’re doing at school, it’s all good stuff even if the language is a bit clunky. Apparently they will be using Java for the International Baccalaureate in a few years.
Some time a go I had to work on a heavy XML processing application and found out VB.NET had a nice XML literals feature. I completed the development using it and it was a joy.
EDIT: To anyone who didn't get it, XML literals are used like this:
Dim myContact = <contact><%= p.Name %></contact>
Dim allContacts = <contacts><%= From c in db.contacts Select <contact><%= c.Name %></contact> %></contacts>
I'm pretty sure vbScript as a language, or even the vbScript engine in Windows has not got any updates whatsoever in the last 15 years. It's still a nice language though, not to be confused with Visual Basic, (like JavaScript vs Java).
I use VBScript at work. I maintain a system that was started in the early 2000s and uses Classic ASP and continues on to this day. They are rewriting it slowly but in the meantime I get the joy of keeping it running.
I'm a professional programmer working full-time on multiple Visual Basic .NET applications. Apart from SQL and the odd bit of HTML, CSS, and JavaScript, it's the only language I need to know. I know more and can work in more, but it's all that I and the hundreds of other programmers in the company need.
I used VB a bit after a bit of linux/bash and I was super sad that MS never (even though it's not surprising[1]) marketed VB as a system customization language for Windows'es. It's not a great language, but at least it has some kinds of type, and with COM modules you can tap into just about anything in your OS (for better or worse of course). Bash felt like a string grep hell very fast to me.
And nowadays powershell seems a great replacement.
[1] of course Windows wasn't meant for tinkerers but for users/customers, developping was for the MSDN side of things, for which you'd agree to pay because you'd sell your creations I guess
We still use it for a few services, like creating xml on our scanners that store who scanned a document so it can be automatically filed.
Moving data dumps onto and from SFTPs.
Emptying outlook mailboxes and storing their content so our SSIS/SSAS services can use it.
Stuff like that. We could use other things I suppose but, and it is slowly getting replaced, but VBScript is the only language everyone knows, from the IT technician to the developers and that had been really valuable to us.
Many people in life sciences domain use VB.NET when their macros cannot live anymore inside Excel, or for simple programming tasks without having to mess with IT.
So I got downvoted last time I brought this up, but if a large corporation hasn't fuzzed their products / code, doesn't this start to border on negligence?
Bugs will of course happen, but failure to fuzz products from companies that employ tens of thousands of people seems inexcusable.
Fuzzing is great and undefined behavior is terrible, so I mostly agree with you. But negligence is a high bar, so let me add at least a small counterpoint:
These big, old systems are full of crashes. Many of them have been triggered and investigated before, and determined not to be a security vulnerability, and so left as they are. If you fuzz these systems, you might find a lot more false positives than real exploitable vulnerabilities. It might be even worse than that, with the false positives being so many that they get in the way of the fuzzer actually discovering new issues.
If these were newer projects, it might make sense to really clean the codebase up and fix every crash. That would make debugging tools more useful, and it would avoid future cases where some compiler update turns your "harmless" crash into an exploit. But in these legacy projects, that sort of cleanup would be very expensive, and many of the devs with the expertise to do a proper job of it have long since moved on. It really might not make economic sense to invest that much in cleanup, even if Microsoft has fully internalized the cost of vulnerabilities to their users.
After you've tried setting up and conducting fuzzing (rather than just reading someone else's success stories) you'll see why we cannot assume they haven't. Fuzzing isn't a binary state, you can spend weeks Fuzzing something, and then someone else with a different methodology can find dozens of new bugs.
Fuzzing scripting languages is particularly complicated because the languages themselves have infinite state. The more complicated the Fuzzer the more coverage it has, but even writing a bespoke language specific Fuzzer is about as complicated as creating the language itself.
It should, but it doesn't. People haven't quite figured out that when software becomes infrastructure that software engineering should look a lot more like civil engineering.
One interesting bit: If an attacker-controlled data is interpreted as a VBScript variable, this can result in a lot more than just infoleak and can easily be converted into a code execution. This issue is a good example of why, in general, an out-of-bounds read can be more than an infoleak: it always depends on precisely what kind of data is being read and how it is used.
It feels like the language got too much features and then the model got so complicated that devs could no longer correctly reason about it. I would suspect that such errors are less likely in a simple language like lisp.
[+] [-] qwerty456127|7 years ago|reply
I'm very surprised this hasn't been done a decade ago.
[+] [-] codeflo|7 years ago|reply
So what's the lesson here? Aggressively remove old features, as you suggest? Rewrite everything every few years? Software has become way too complex to closely audit everything forever...
[+] [-] tlb|7 years ago|reply
Is there some advantage to LHS-first that I can't think of?
[+] [-] alangpierce|7 years ago|reply
LHS first: JavaScript, Java, Go, C#, Swift, PHP, Ruby
RHS first: C++, Python, Rust
I ran this sort of code for all of them:
"=" is syntactically just a binary operator, so I expect it to behave like other binary operators (and AFAIK all other binary operators evaluate left-to-right in almost all languages). It's special because the LHS evaluates to an assignable reference rather than to a value, but nothing stops you from evaluating the left side in full before starting to evaluate the right side. As with every binary operator, it's possible to write code such that the evaluation of one side affects the result of evaluating the other side, but of course that sort of code is really fragile anyway.[+] [-] userbinator|7 years ago|reply
I did not check C++ but for C, according to ISO/IEC 9899:1999 section 6.5.16 paragraph 4 on the semantics of the assignment operator: "The order of evaluation of the operands is unspecified."
[+] [-] int_19h|7 years ago|reply
The problem here, in any case, isn't the order of evaluation. It's that the array bound check is done at the wrong time.
[+] [-] kodablah|7 years ago|reply
0 - https://golang.org/ref/spec#Assignments 1 - https://golang.org/ref/spec#Order_of_evaluation
[+] [-] eropple|7 years ago|reply
[+] [-] minitech|7 years ago|reply
That’s a reason it matters which one is evaluated first, but not a reason to evaluate the RHS first.
[+] [-] beobab|7 years ago|reply
It's been a while, however, so I might be remembering wrong (or indeed have misunderstood).
[+] [-] rienbdj|7 years ago|reply
[+] [-] mevile|7 years ago|reply
[+] [-] ocdtrekkie|7 years ago|reply
There's even claims it's the fifth most popular language out there today. https://visualstudiomagazine.com/articles/2018/12/17/tiobe-v... Though there's not a lot of other parties who agree with that, on one hand, on the other hand, a shockingly large number of developers do not work in Silicon Valley, and a lot of those developers aren't using the latest JavaScript frameworks for their day-to-day jobs.
[+] [-] simonh|7 years ago|reply
I’m teaching them a bit of a Python as well, but I’m impressed with the material they’re doing at school, it’s all good stuff even if the language is a bit clunky. Apparently they will be using Java for the International Baccalaureate in a few years.
[+] [-] leeman2016|7 years ago|reply
EDIT: To anyone who didn't get it, XML literals are used like this:
[+] [-] z3t4|7 years ago|reply
[+] [-] jetti|7 years ago|reply
[+] [-] wglb|7 years ago|reply
[+] [-] xellisx|7 years ago|reply
[+] [-] FroshKiller|7 years ago|reply
[+] [-] agumonkey|7 years ago|reply
And nowadays powershell seems a great replacement.
[1] of course Windows wasn't meant for tinkerers but for users/customers, developping was for the MSDN side of things, for which you'd agree to pay because you'd sell your creations I guess
[+] [-] jaabe|7 years ago|reply
Moving data dumps onto and from SFTPs.
Emptying outlook mailboxes and storing their content so our SSIS/SSAS services can use it.
Stuff like that. We could use other things I suppose but, and it is slowly getting replaced, but VBScript is the only language everyone knows, from the IT technician to the developers and that had been really valuable to us.
[+] [-] pjmlp|7 years ago|reply
[+] [-] peteretep|7 years ago|reply
Bugs will of course happen, but failure to fuzz products from companies that employ tens of thousands of people seems inexcusable.
[+] [-] oconnor663|7 years ago|reply
These big, old systems are full of crashes. Many of them have been triggered and investigated before, and determined not to be a security vulnerability, and so left as they are. If you fuzz these systems, you might find a lot more false positives than real exploitable vulnerabilities. It might be even worse than that, with the false positives being so many that they get in the way of the fuzzer actually discovering new issues.
If these were newer projects, it might make sense to really clean the codebase up and fix every crash. That would make debugging tools more useful, and it would avoid future cases where some compiler update turns your "harmless" crash into an exploit. But in these legacy projects, that sort of cleanup would be very expensive, and many of the devs with the expertise to do a proper job of it have long since moved on. It really might not make economic sense to invest that much in cleanup, even if Microsoft has fully internalized the cost of vulnerabilities to their users.
[+] [-] Someone1234|7 years ago|reply
Fuzzing scripting languages is particularly complicated because the languages themselves have infinite state. The more complicated the Fuzzer the more coverage it has, but even writing a bespoke language specific Fuzzer is about as complicated as creating the language itself.
[+] [-] da_chicken|7 years ago|reply
[+] [-] wglb|7 years ago|reply
How leaks can become RCE.
[+] [-] lixtra|7 years ago|reply
Did similar exploits happen in JavaScript?
[+] [-] arethuza|7 years ago|reply
I guess some lisps might be simple but I wouldn't call Common Lisp simple!
[+] [-] colordrops|7 years ago|reply
[+] [-] csours|7 years ago|reply
[+] [-] ec109685|7 years ago|reply
[+] [-] Digit-Al|7 years ago|reply
[+] [-] zyx321|7 years ago|reply