Google announced that it will add .js (JavaScript) extensions to its list of restricted file extensions (such as .exe, .msc, and .bat) for Gmail starting February 13, 2017.
As Flash is being phased out, attacks based on JavaScript vulnerabilities may be the new go-to for malicious hackers. Late last year, a researcher had already found a JavaScript vulnerability in Yahoo Mail that could have allowed any attacker to eavesdrop on Yahoo customers’ emails.
Throughout the last year, it has also been observed that various ransomware families have begun to spread through email spam that sent malicious JavaScript attachments.
Email has always been an effective way to spread malware because people often click on the attachments they receive without taking any additional protections. Those extra protections would include opening the attachments in a better sandboxed environment (Sandboxie, as or a virtual machine, are two examples). It’s understandable why most do not, because it’s often too inconvenient to take such measures to read your email. Therefore, it’s up to email service providers to try and limit this type of malware risk as much as possible.
Where applicable, the browser’s sandboxing should also help. However, chances are the malware makers already take browser sandboxes into account and include ways to bypass them.
Blocking .js file attachments is bound to frustrate software developers who may use email to share JavaScript files with each other. Google has a solution for this, which is to use Google Drive, Google Cloud Storage, or other cloud storage solutions to share those files.
The new restriction is a part of Google's continuous efforts to improve Gmail security. However, we're still waiting for the end-to-end encryption feature that Google promised back in 2014 but has yet to deliver.
