Microsoft today has announced that it has enabled JScript9Legacy as the default scripting engine in Windows 11 24H2 and newer versions like 25H2, thus replacing the decades-old JScript runtime. The company says that Windows 11 users will now benefit from the "improved performance and security features the new JScriptLegacy scripting engine offers."
By switching to JScript9Legacy, Microsoft says that it aims to reduce vulnerabilities tied to legacy scripting like cross-site scripting (XSS), among others. XSS exploits allow cyber-attackers to attach malicious code onto legitimate websites and use them to execute the code when a potential victim loads such a website.
In the past, Windows has shown that it is vulnerable to scripting engine attacks. Even as recently as August of 2024, Microsoft issued patches for a remote code execution flaw under CVE-2024-38178. And the web is indeed a dangerous place, especially for novice Windows users.
The new JScript9Legacy engine enforces stricter execution policies and improved object handling, which should help mitigate XSS-like attacks. To put it simply, for enterprises and home users alike, this change should help protect against web-based threats that exploit outdated script engines.
If you recall, Microsoft made similar changes for Edge earlier with the default Enhanced Security mode.
For those who may not be familiar, JScript has powered Windows scripting since the late 1990s and first made its debut with Internet Explorer 3.0. Its compatibility with a broad range of web content made it widespread, but also leaves thousands of systems exposed to modern attack vectors.
According to Microsoft, the new engine replaces JScript.dll with JScript9Legacy.dll and the shift is designed to maintain backward compatibility for existing scripts while offering more robust security on the latest version of Windows. Microsoft notes that "no additional action is required from you to benefit from JScript9Legacy, nor will it impact existing workflows", and thus for most users, no further action is required.
You can find the announcement post here on Microsoft"s Tech Community website.