Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: JavaScript Timeout Setting

From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 18 Aug 2011 11:37:23 -0500
infosecsmith () s mintemail com writes:


I was curious what you think about setting this option in Internet Explorer.

http://support.microsoft.com/kb/175500

Because some scripts may take an excessive amount of time to run, Internet
Explorer prompts the user to decide whether they would like to continue
running the slow script. Some tests and benchmarks may use scripts that take
a long time to run and may want to increase the amount of time before the
message box appears. In Internet Explorer, the script time-out value can be
changed on specific client machines by modifying a registry entry.


To change this time-out value in Internet Explorer 4.0, 5.0, 6, 7, or 8,
follow these steps:

  1. Using a Registry Editor such as Regedt32.exe, open this key:
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles

  *Note* If the Styles key is not present, create a new key that is called
  Styles.
  2. Create a new DWORD value called "MaxScriptStatements" under this key
  and set the value to the desired number of script statements. If you are
  unsure of what value you need to set this to, you can set it to a DWORD
  value of 0xFFFFFFFF to completely avoid the dialog.

My thoughts would be its acceptable to extend the Time Out, but not to
completely disable it.

Thoughts?


I'd hesitate to recommend this generally as sometimes it's anomalies
like this that are the only symptoms that lead a user to report
workstation problems that lead to discovery of an infection that other
endpoint protections have entirely missed.

On an exception basis, sure-- if there's a very specific site or tool
that when tested across a number of known clean machines causes this
issue and gets in the way of getting work done, I can't see much harm
in increasing this.  But I certainly wouldn't rush to extend this
across an enterprise, and I agree with you that disabling it is best
avoided.

On the other hand, an alternate browser might be another way to skin
the same cat.  If it's bulky Javascript you're running, for example,
Chrome seems to rule the roost at present.


--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: