Windows Update To Fix Critical 'Wormable' Flaws May Break VB Apps

"This week's Windows updates fix critical 'wormable' [Bluekeep] flaws but may also break Visual Basic apps, macros, and scripts," warns ZDNet: "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says. The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions. "Microsoft is presently investigating this issue and will provide an update when available," the company said.

Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch. "The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog post. The change brought these versions of Windows in line with Windows 10. However, it's not clear that the issues under investigation are related to this measure. Regardless of the cause, the error could be a hassle for organizations that rely on Microsoft's various incarnations of Visual Basic...
In a blog post shared by Slashdot reader CaptainDork, Microsoft warned that "any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction."

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions."

Well, that'll be a problem

[DogDude]

Broken VB apps might be a huge problem for a lot of people. Heck, I can't count how many VB6 based applications we're running right now. It's a lot.

Re:Well, that'll be a problem

[Ostracus]

Be nice if there was an open-source VBScript engine.

Re:

[Wolfling1]

I have to admit that I'm gobsmacked that nobody has come up with a 3rd party VB6 compiler. Wouldn't there be an awesome market for that right now.

Re:

[localroger]

Both the IDE and applications work well under Linux via Wine. The only reason I haven't switched is that my trick for coding serial ports to the API doesn't work in emulation because VB is single-threaded, and while W32-64 will cache incoming serial data for you both 16 bit windows and *nix emulation expect you to supply a callback function to catch the data the instant it arrives, and VB is deliberately crippled so that it can't do threads.

Microsoft's QA strikes again?

[QuietLagoon]

Was a broken VB needed to fix the worm problem, or was a broken VB the result of Microsoft's ace QA team?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PPH]

Windows Hydra.

QA?

[antdude]

MS has QA again? When did that happen? :P

I don’t see anything at all

[UnknowingFool]

So this update patches and worm and keeps VB6 scripts from working. What’s the problem again? :) I know MS still supports VB6 until 2024 on some Windows versions but this should signal migrating away from it.

Re: I don’t see anything at all

[SuperDre]

If it really breaks vb6 applications it could be a serious problem as there are still a lot of (business)application in use that where written in VB6. VB6 is an excellent developmenttool, and with a lot of applications it's "if it ain't broken, don't fix it". It's like with all languages, if you don't know how to use it properly, people will write crap applications with it, it's not the language that's the problem, it's the incompetent developer that is....

Re:

[localroger]

The purpose of the OS is to run programs written against it. If it can't run programs written in a popular compatible system which was also sold by the OS vendor and is less than 20 years old -- which isn't really very old, ask your bank how many COBOL programs they are running in emulation of 70's era IBM mainframes -- then the OS is broken and not doing what it should be designed to do. It doesn't matter how secure your tool is against hackers if it can't do the job you bought it to do.

Re:

[UnknowingFool]

I don’t categorize COBOL running on mainframes anywhere close to Windows running VB6. Even today, old mainframes can handle thousands to millions of simultaneous transactions per second and double and sometimes triple check the math. A Windows machine can’t come anywhere close to that especially with VB6. I don’t see continuing to use VB6 as a good thing.

Sandbox

[JBMcB]

This is why I have a Windows XP virtual machine for running legacy junk. It doesn't see the internet except for Microsoft Update and antivirus updates. I get stuff in and out via shared drives. At this point, I think the XP mode VM thing Microsoft did for a while (in Vista?) is a good idea. Instead of maintaining backwards comparability with everything in 10, get rid of all the cruft and VM the old stuff. Just firewall the heck out of it - make it only see intranet addresses.

Re:

[twocows]

Even then I'd say only let it see the parts of your intranet that you need it to see. If most users don't need to access it, wall it off from them in case their machines get infected with something.

if you break VBS you also break HTA apps

[denis-The-menace]

We have a couple of HTA and VBS apps out there. We made them in scripts so that we don't have black box EXE that requires a special compiler environment and not loosing the source code. Now I'm expecting a shit-tonne of tickets for these simple little in-house apps not working. God knows how many COTS apps that have helper scripts written in VBS too. MANY installation packages (MSI, EXE, NSIS, etc) also use VBS to handle dinky things at install time.

This sun-setting of VB Script is news to me. This is how you make people want to run other OS' than Windows.

Re:

[Amouth]

yea this is news to me also, *looks over at a bunch of decade old tools* i'm glad i don't work in IT and support others anymore, but it looks like i need to allocate some time to upgrade/rewrite a a bunch of my personal custom tools.. now to pick a language........

Clear as mud,...

[MrL0G1C]

How exactly would a worm propagate here? - how does someone else run VB on my machine? Doesn't sound very wormy to me.

Resolving Confusion.

[ElizabethGreene]

This month's patches fix a wormable flaw in RDP. (Not publicly disclosed or exploited per telemetry.)

There is a defect in this month's patches that cause some VBscripts to throw an error. Microsoft has flagged the latter as a known issue, and indicated they will be fixing it.

You can mitigate the RDP vulnerability by turning on RDP NLA.