Quick Links

You might have seen a notification that things are changing in your inbox. Starting February 2017, Gmail changed its policy regarding JavaScript. Here's why this is changing, and how you can protect yourself from malicious JavaScript.

What Is JavaScript, Anyway?

Related: JavaScript Isn't Java -- It's Much Safer and Much More Useful

JavaScript (not to be confused with Java, a separate programming language with a similar name) is not inherently a dangerous or malicious thing---in fact, this page you're reading right now uses JavaScript, like most modern web pages. JavaScript is a programming language that is stored in plain text and executed by various programs, including web browsers. This differs from programs written in plain text and compiled to be executed as a "binary,", like most programs installed on your PC.

sshot-811

JavaScript has been around since the mid 90s. This important language had its first version created in a mere 10 days by Brendan Eich for use in the first version of Netscape Navigator. An important achievement, Eich went on to become the co-founder and CTO of Mozilla, the company that manages Firefox. All modern web browsers can execute JavaScript, adding complexity and programming logic to web design that was not possible with simple HTML.

Because so many people needed JavaScript on the growing web of the 90s and early 2000s, its popularity with coders increased exponentially. Currently, it is likely the most popular language on the web.

With the explosion of JavaScript's popularity and the increasing complexity of the web, Google released their Chrome browser and V8, an open-source engine for efficiently executing JavaScript code. With its release in 2008, it sped up the load speeds of web pages and JavaScript, and led to even more uses the following year.

Clever developers took the V8 engine from the Chrome project and released a server side app called Node.js in 2009. This allowed a server to do things like store and retrieve files and serve up webpages, but using only JavaScript. This means developers can use their already existing knowledge of JavaScript, and don't have to learn new languages. Node has started to replace PHP and Python for many new web apps and sites, and its popularity with developers is growing still.

Why Is Gmail Blocking It?

sshot-810

Because JavaScript is everywhere, you can assume it can be run by a zillion things. Many people can write it, and it can be exploited. This doesn't make it any worse than MS Office Macros or Email Attachments, but it has potential for misuse.

Security experts have noted a trend of more malware written in JavaScript. These are often sent over email, disguised as a resume, or phishing message targeting businesses, or a claim the attachment will "track a recent order." This is a "trojan horse" (or simply "trojan") kind of injection of malicious software, because it needs an unsuspecting user to download, open, run, or install malicious bits of code.

Related: What is Encryption, and Why Are People Afraid of It?

One frightening recent trend from the past few years is Ransomware. Given access to your computer, a JavaScript program might install software to turn your important files to unreadable gibberish through a process called Encryption, forcing you to pay someone halfway around the globe to get back the files that used to be yours.

Google keeps a list of common filetypes used by malware creators, and Gmail blocks them. Because of the increase of this kind of malware, the JavaScript filetype has been added to that list. It's unlikely this will cause most users any problems, the notable exception being you're a developer trying to email a file called "functions.js" to a coworker. In this case, you may have to share through Google Drive or other file sharing solutions. But most users will not likely notice any difference.

JavaScript is not the least bit scary, but it can do a lot of harm to your computer if you're not careful. So let's turn our focus to what you can do to keep yourself safe.

How Can I Protect Myself?

Related: What Is NoScript, and Should You Use It to Disable JavaScript?

Windows has become more vulnerable to these kinds of attacks, partly because of the user-side program Windows Script Host, which can execute JavaScript files and potentially harm your system---that is, if you allow it.

Here's an easy method to avoid that, without disabling scripts entirely. You can set Windows to open .JS files with a program that doesn't execute code: Notepad. Here's how.

Open Notepad by clicking your Start Menu and typing Notepad.

sshot-809

With a blank file open, head to File > Save As. Save the open blank document on your desktop as

        Blank.js
    

, making sure you delete the .txt file extension.

sshot-806

Close Notepad. Right-click the fake .JS file you just created and find "Open With" in the contextual menu. Click "Choose Another App."

sshot-807

Pick "Notepad" from the list and make sure that the checkbox beside "Always Open With" is checked.

sshot-808

Now any malicious JavaScript files you accidentally open will harmlessly open in Notepad.

You can also disable Windows Script Host by default for your computer, ensuring that any kind of code that it executes, bad or good, can't be run without being enabled again. This might be overkill, but is a reasonable thing to do to keep a loved one's computer safe. Here's a Microsoft recommended method for how to disable Windows Script Host entirely.

Of course, never forget the basics, either: never open email attachments from untrusted or unknown senders, or from known senders if the email looks suspicious or confusing. Simply doing this will cut your risk to all malicious Trojan code down to almost nothing, since the majority of it comes from spam or hijacked email accounts.

And that's roughly all you need to know about keeping safe from any bad bits of JavaScript. Though as of February 13, you won't have to worry about these files being sent to your Gmail address, because the filetype will be blocked entirely.