
On VBScript - wglb
https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html
======
qwerty456127
> Windows 10 Fall Creators Update, Microsoft disabled VBScript execution in
> Internet Explorer in the Internet Zone and the Restricted Sites Zone by
> default

I'm very surprised this hasn't been done a decade ago.

~~~
codeflo
At this point, it's probably safe to assume that _every_ feature in Windows
that hasn't been touched for the last decade has severe security problems. And
it's not only Microsoft -- maybe their approach to backwards compatibility
makes them especially vulnerable, but similar things have happened in the free
software ecosystem as well. It's basically a very insidious form of bitrot.

So what's the lesson here? Aggressively remove old features, as you suggest?
Rewrite everything every few years? Software has become way too complex to
closely audit everything forever...

~~~
pjmlp
Security only works properly when applied to all layers.

It is very educative to read about security models on Multitics, ClearPath,
System 360/370, OS/400 among many other similar systems, their attack vectors,
and what we ended up getting by having winner takes it all with UNIX based
systems.

This year we celebrated 30 years of Morris worm.

~~~
watersb
> This year we celebrated 30 years of Morris worm.

Wow. That was one hell of a night. Melted down our university computer labs,
packed with desperate undergrads trying to complete and turn in their projects
before midnight deadline...

~~~
fujimotos
> Melted down our university computer labs

How did admins manage to disinfect servers? It should have been a hell of fun
for them, provided it was the first pandemic ever.

~~~
watersb
[https://news.ycombinator.com/item?id=5302924](https://news.ycombinator.com/item?id=5302924)

Hard reboot with email server disabled.

------
tlb
VB's evaluation order, in which the left side of an assignment is evaluated
before the right side, seems like a terrible idea. In most languages including
C and C++, it's specified that the RHS is evaluated first. Since, of course,
the RHS might have a side effect on the location of the LHS.

Is there some advantage to LHS-first that I can't think of?

~~~
alangpierce
Interesting, my intuition is the opposite: that left-to-right evaluation is
clearly the better approach. I just tested a few languages and it turns out
that there's no clear agreed-upon answer, but LHS first seems to be more
common at least for recent languages:

LHS first: JavaScript, Java, Go, C#, Swift, PHP, Ruby

RHS first: C++, Python, Rust

I ran this sort of code for all of them:

    
    
        def lhs(): print "LHS"; return 0
        def rhs(): print "RHS"; return 0
        a = [0]
        a[lhs()] = rhs()
    

"=" is syntactically just a binary operator, so I expect it to behave like
other binary operators (and AFAIK all other binary operators evaluate left-to-
right in almost all languages). It's special because the LHS evaluates to an
assignable reference rather than to a value, but nothing stops you from
evaluating the left side in full before starting to evaluate the right side.
As with every binary operator, it's possible to write code such that the
evaluation of one side affects the result of evaluating the other side, but of
course that sort of code is really fragile anyway.

~~~
bArray
And this is why I tend to use a slightly smaller subset of some of the
features that C-family languages support, along with an abundance of brackets.

If I remember rightly, there is the example:

    
    
        a = {-1, -1}
        x = 0
        a[++x] = x
        print(a[0] + " " + a[1])
    

Depending on the language (and sometimes even if you have optimizations set
for those that compile to binaries), you'll get a different answer.

I always love (read sarcasm) to see awesome code, such as:

    
    
        z = a & b > c | d
    

or:

    
    
        z = a > b ? c < d ? e : f : g ? h : i
    

And then of course, the statement: "my code doesn't need comments because the
code comments itself"...

~~~
lern_too_spel
Don't do that. The behavior is explicitly undefined in C.
[http://c-faq.com/expr/seqpoints.html](http://c-faq.com/expr/seqpoints.html)

~~~
oblio
Don't do what, precisely? He listed several examples.

And I think he's agreeing with you, he's just sarcastic.

~~~
lern_too_spel
He said, "this is why I tend to use a slightly smaller subset of some of the
features that C-family languages support, along with an abundance of
brackets."

C does not support his first example. The standard states that the behavior is
undefined.

~~~
bArray
> If I remember rightly [..]

You're probably not wrong, but I specifically remember there was something you
could do in order to trick the compiler to allow modification on the left hand
side to happen. It could possibly be by having two variable names referencing
the same variable - for example.

Besides, the whole point was that it's usually not clever "trying to be
clever". It just creates confusion. I don't personally believe the majority of
people need to test the entire C spec to it's absolute boundary. A subset
serves most people perfectly well.

------
mevile
It's crazy to me to realize that there are still people employed at Microsoft
who work on VBScript. I love VBScript, lots of great memories, but I don't
know anyone who uses it anymore, not even VB.Net.

~~~
simonh
VB.NET is still taught in the GCSE (secondary school) Computer Science course
in the UK. My daughters are doing it now. Fortunately they are able to run it
fine in Visual Studio for Mac.

I’m teaching them a bit of a Python as well, but I’m impressed with the
material they’re doing at school, it’s all good stuff even if the language is
a bit clunky. Apparently they will be using Java for the International
Baccalaureate in a few years.

~~~
setquk
Some schools. My eldest did python on MacOS here in UK secondary school.

~~~
simonh
Really? I didn't know that was an option. Shame, still VB.NET isn't as painful
as I'd feared it might be and the important thing is the concepts. Secondary
school CS is a whole world better than it was when I was their age.

Having said that I know there are concerns that by focusing on 'real' computer
science the course has swung too far away from everyday practical computing
skills. Personally I think schools should have a bias towards putting weight
on the academic end of the vocational-academic spectrum.

I've avoided pushing Python too hard, they have enough on their plates
learning VB, but I have dipped into it with them to show how it does some
things differently. I don't want to make them feel resentful about learning
VB, that wouldn't be constructive, so I'm learning VB along with them. I do
think it's useful to understand what things are pretty fundamental, and which
things can vary meaningfully between languages though.

~~~
setquk
I may be older than you :)

When I did secondary school "technology" which was the overseeing subject, we
used BBC basic and 6502 assembly (some of us anyway!) to drive CNC equipment
and Lego and spent half of the time with a soldering iron in hand and etching
PCBs and stuff. In _business studies_ , a wholly separate subject at the time,
we learned how to use spreadsheets, word processors, write letters etc on
RiscOS which had just rolled out about then.

I think the education now is abysmal in comparison. Why? A weird reason. None
of the technology I learned about then is relevant now. 6502 assembly is dead,
BBC BASIC is dead, RiscOS is dead, all the software packages are dead, China
makes my PCBs etc. The education it gave me was a mental model of computing
and how to approach problems with self sufficiency.

I feel a lot of technology platforms now, including .Net (something I have
been using since day one), remove all self sufficiency from you and abstract
so much away that it's harmful. I see many younger staff at companies I have
worked for who's education has left them with so many gaps that self
sufficient problem solving is impossible.

~~~
simonh
I doubt it (the age thing). RiscOS came out while I was at University. I think
you must have come into secondary school camp sci just as it started getting
good. When I did it a few years earlier (started - I dropped out) they were
still teaching us how core memories and punched cards used to work. They did
have a few BCC micros, but hadn't started using them in teaching. Yes, I am
THAT old :)

My eldest just did a test where one of the questions was to describe the fetch
and execute cycle, so they do cover low level concepts in Comp Sci GCSE.

PCBs and integrated circuits is in GCSE Electronics. Robots and control
systems I'm not sure about but they have that stuff and a 3D printer and laser
cutter in the Design and Technology lab. I'd have been all over that stuff in
my day, but my girls prefer to spend their time in the fully equipped
soundproofed music studio practicing 7 Nation Army with their rock band after
school. Kids these days! And this at a public school, albeit a really good
one.

------
peteretep
So I got downvoted last time I brought this up, but if a large corporation
hasn't fuzzed their products / code, doesn't this start to border on
negligence?

Bugs will of course happen, but failure to fuzz products from companies that
employ tens of thousands of people seems inexcusable.

~~~
da_chicken
It should, but it doesn't. People haven't quite figured out that when software
becomes infrastructure that software engineering should look a lot more like
civil engineering.

~~~
pjmlp
There are a couple of countries where signing off projects as software
engineer does indeed require similar validation.

Sadly we are still quite far from the ideal way.

For that we need more escalations on company lawsuits so that it actually
becomes more professional.

------
wglb
One interesting bit: _If an attacker-controlled data is interpreted as a
VBScript variable, this can result in a lot more than just infoleak and can
easily be converted into a code execution. This issue is a good example of
why, in general, an out-of-bounds read can be more than an infoleak: it always
depends on precisely what kind of data is being read and how it is used._

How leaks can become RCE.

------
lixtra
It feels like the language got too much features and then the model got so
complicated that devs could no longer correctly reason about it. I would
suspect that such errors are less likely in a simple language like lisp.

Did similar exploits happen in JavaScript?

~~~
colordrops
JavaScript is not hard to reason about.

~~~
BigJono
Just wait a few years.

------
csours
Poor, ancient VBScript! Oh, how you would benefit from Raymond Chen's time
machine...

------
ec109685
Why doesn’t Internet Explorer / Microsoft sandbox VBScript like Chrome does?

------
Digit-Al
Weirdly I just get a blank page when I look at this.

~~~
zyx321
Blogspot does not like it when you disable Javascript.

