Email attachments are probably the most common mechanism for infecting a Windows computer. As potential victims get wise to the tried and true infection schemes, bad guys have a relatively new wrinkle -- the attached malicious file is JavaScript. JavaScript, or more correctly in this case, JScript files, are plain text files that end in ".js."
JavaScript files are normally found in web pages where your web browser interprets the instructions and executes them. By and large, JavaScript inside a web page is safe as the browser limits the fish bowl where it lives to a single web page.
But, JavaScript let loose on a Windows machine is an entirely different matter.
Windows, for years now, has been able to run Microsoft's version of JavaScript, called JScript. The fish bowl that JScript was designed to live inside was not a web page, but Windows itself. As such, JScript includes many commands that JavaScript does not. For example, JScript can interact with the file system to create and delete files, something that JavaScript in a web page can not.
The component in Windows that executes JScript is the Windows Script Host (WSH).
When bad guys first started using JScript attachments, the scripts downloaded the malware. Lately the bad guys have switched to writing malware entirely in JavaScript. Like other malicious files, the JavaScript/JScript files may be embedded inside a .zip or .rar file.
In part, Microsoft is to blame for hiding the file type portion of file names by default.
Out of the box, Windows will display the file name "badthing.exe" as "badthing." This brutally stupid default behavior displays the JavaScript file "interestingthing.txt.js" as "interestingthing.txt" which can trick non-techies. Changing this behavior is one of the first things I do on any new Windows computer.
Also by default, double-clicking on "interestingthing.txt.js" causes the Windows Script Host component of the operating system to run the JScript script. Changing this default behavior, makes a Windows machine safer. Perhaps the safest thing to do with JavaScript/JScript files is to open them in Notepad.
To do this, I suggest creating a plain text file called "disableme.js" containing this single line of JavaScript code
a=b+2;
Then, you can safely experience Windows Script Host running a JScript file by double-clicking on the file in Windows Explorer.
The Windows Script Host gets an error running our sample JavaScript file
As shown above, the execution will fail because the variable "b" is not defined. The following are instructions to have Notepad process .js files rather than the Windows Script Host.
In Windows 7, right click on the disableme.js file, then click on "Open With." To the right of "Other Programs" is a small arrow pointing down. Click on it, then click on Notepad and OK. In my testing, the checkbox "Always use the selected program to open this kind of file" was checked by default. Still, you should verify that the box is checked.
In Windows 8, right click on the disableme.js file, then click on "Open with," then "More options" and finally on Notepad.
In Windows 10, right click on the disableme.js file, then click on "Open with." The default here seems to be different than Windows 7, so you will need to turn on the checkbox for "Always use this app to open .js files." Then click on "More apps," Notepad and the OK button.
To verify that notepad is indeed the default program for handling .js files, just double click on the disableme.js file again.
We're not done yet, however.
Windows also treats ".jse" files as JScript and the Windows Script Host processes them too. So, rename the "disableme.js" file to "disableme.jse" and repeat the above procedure.
Since there is often confusion about this, let me be clear: both JavaScript and JScript have nothing at all to do with Java.
BLOCK WSH
Some, perhaps many, people can stop right here. But, for those who care, we can dial the protection up to 11.
JavaScript/JScript is not the only language supported by Windows Script Host. Out of the box it also supports VBScript files (.VBS and .VBE) and Windows Script files (.WSF). Other languages can also be installed, allowing WSH to process Perl, Ruby, PHP and more.
The real vulnerability is not JavaScript/JScript, its Windows Script Host. We can disable WSH, but this comes with a small risk -- there may be software that uses it on any given Windows machine. The only way to tell, sadly, is to disable WSH and see if anything breaks.
The cscript command is fully functional
Windows Script Host has both a text mode and GUI mode. You can verify that the text mode is functioning by opening a command prompt and entering "cscript." The output above, which is slightly truncated, is from Windows 7, but it is almost exactly the same on Windows 8 and 10.
If you see this, the GUI part of WSH (wscript) is functional
To verify that the GUI mode is functional, open a command prompt and enter "wscript." On Windows 7, 8 and 10, a new window should be displayed that looks like the one above.
Microsoft does not provide a simple way to disable WSH, we have to hack around in the registry. Articles from Tend Micro and F-Secure offer the details. Different registry keys can disable WSH for a single user or system-wide.
Before modifying the registry, it is a good idea to make a Restore Point, which backs up the registry. After modifying it to disable WSH, you can verify that it worked by running the two commands above.
The issue of malicious JavaScript files attached to email messages, is not a problem on the operating system formerly known as OS X. There, stand-alone JavaScript files open in Safari, which simply displays the text of the script but does not execute it.
Finally, some editorializing.
Reading email on a Windows computer is like swimming in shark infested waters. The safest environment for email is a Chromebook. If you don't like your email providers webmail system, then look for a Chromebook that will soon be able to run Android apps, giving you a wide choice of email clients.
Do yourself and the world a favor by not reading email on a Windows machine.