1. Open / Start QTP
2. Right click on the Menu toolbar (File  Edit View Insert ….)
3. Select “Customize”
4. Click on the “Toolbars” tab
5. then Click on “Restore All” button at the lower right hand side.

Wallah ! now All iz Well !

The vulnerability affects Windows 2000, XP and Server 2003-based systems, Microsoft said in a security advisory dated March 1.

Microsoft said that the vulnerability in VBScript could allow remote code execution of computers. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user,” Microsoft said on its Web site, “On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.” Windows Vista, Windows 7, and Windows Server 2008 are not affected.

The advisory includes several workarounds, including advice to avoid pressing the F1 key when prompted by a Web site.

It also suggests restricting access to the Windows Help System, setting Internet and Local intranet security zone settings to “high” to block ActiveX Controls and Active Scripting, and configuring Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Microsoft complained in its advisory and a statement that the vulnerability was not responsibly disclosed.

Two days was all it took to Sony engineers to solve the problem of time that affected some models of the PS3. A concern due to the passage of the month from February to March and that has prevented some users from connecting to the PlayStation Network on Sunday and Monday. This bug has been identified as the older model PS3 (called Fat) and does not cover PS3 Slim sold since September 2009.

On its blog, Sony states that if, on consoles impacted by this bug, the date does not always gets updated automatically, you can now force it manually or via the Internet. The Japanese company also said that if it has new elements to correct any other recurring concerns, it will update the console via the web to solve them. Evidence that the connection problems are only the past now.

I’ve worked at places and with developers that see the QA Team as a nuisance. Constantly interrupting with bug issues when you’re just trying to move on to the next step. I mean, you tested it yourself right? What could some QA person have found that you didn’t account for? That’s the point. As the old phrase goes:

“It takes more intelligence to debug code than to write it. Therefore, if you write the most difficult code you can create, you are not smart enough to debug it.”

The other thing to remember is that when you as a developer test code you have the bias of knowing exactly how it works and will test with that in mind, there’s no escaping it. The QA Team is there to not only test it to see if it works, but to try the most asinine tests that end-users will do and see if it breaks. No matter how well you design your software the end-user will use it in ways you never thought possible, the QA Team is there to help you in these cases by testing obscure scenarios and reporting what they’ve found.

There’s more to it than understanding QA’s role and respecting them and relying on them. We as Developers need to be engaging them. When I turn over my software to QA, if I don’t hear anything within a few days I go bug them. My ultimate goal as should be the goal of all developers is customer satisfaction, if the customer isn’t happy you’re not going to be doing much development for them. We should be asking QA what we can provide so they can better test the code. Maybe creating a tool that will allow them to automate certain interactions or giving them DB access to see what’s getting stored. In any case we also need to be sitting down with them and making sure they understand exactly how the software works. Sit down and explain the DB table structure with them, make sure they understand the process flow. The more they understand of it the more they will know how to test it. Also keep in mind that a good rule of thumb to follow is however long it took you to develop it, it may take twice as long for QA to debug it. Your QA Team is your friend, not your enemy. QA is the body armor to failure. The more you help QA the better your chances of success.

So, Bottom Line : LOVE YOUR QA TEAM !

It has been suggested that the Download Manager is an ActiveX script that is widely used to install a variety of software and patches across Adobe’s network.

An Israeli security researcher Aviv Raff has identified the flaw which allows a third party application to be installed on the remote machine if users click on a link.

In his blog Raff says that despite informing Adobe the company downplayed the risk.

“While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product (usually without the requirement to restart the computer after the update), is still exposed to forced automatic installation until they restart their computer.

“This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day?

“An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product.”

A recent report from Scansafe found that based on more than a trillion web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80pc of all exploits the company encountered throughout the year.

“This is the kind of scenario that’s common when skilled, motivated attackers are going after select targets.

And yes, you do get a big dialog box when you are forced to download the software. Like this will really matter to the attacker, when all he wants is to get his malicious software on your machine,” Raff said.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies.   Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Medina’s  presentation demonstrated how an attacker can read every file of an IE user’s filesystem.  The attack scenario leveraged different design features of Internet Explorer that can be combined to do serious damage.

Here’s more on Medina’s talk from DarkReading’s Kelly Jackson-Higgins:

[Medina] says popular features in IE, such as URL Security Zones and the browser’s file-sharing protocol, can together be abused to execute an attack that results in the attacker being able to read all files on the victim’s machine. Medina plans to release proof-of-concept code for the attack next month after Black Hat DC, and after Microsoft issues a security update for the attack, which affects IE versions 6 and above, he says.

“These vulnerabilities are just features … the implementation of the features allow you to obtain certain information, which by itself is harmless. But when combined together with other features, it renders an attack vector,” Medina says. The attack requires the user to click on a malicious link.

According to Microsoft’s advisory,  IE’s Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.

The problem does affect every version of the browser but is considered most serious on Windows XP.

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

For pre-patch mitigations, see the “workarounds” section of Microsoft’s advisory.

Features of soapUI

The soapUI is designed to simplify the testing of your Web services; I also find it useful for interacting with third-party Web services to get a better idea of what to expect in the response, as well as what to include in the response. It was especially useful in a recent project utilizing ChannelAdvisor Web services. Using soapUI, I was able to figure out the data expected in request objects.

SoapUI is accessible to both technical and nontechnical persons. The easy-to-use graphical interface makes it simple to work with WSDL and SOAP-based Web services. It provides a Web service client that can automatically generate Web service requests and tests.

With the tool, you can work with XML and its many variations like WSDL. WSDL is easily imported via its URL, along with a great viewer for navigating and inspecting the WSDL source.

SoapUI offers extensive security features, which include Web service authentication and WS-Security. One of the cool features I like is the excellent SOAP monitor support; it allows you to easily monitor and analyze traffic.

The user interface is powerful; the soapUI tool also provides a command-line option. It allows you to run your tests via the command line, thus it can be easily automated in batch files.

Putting soapUI to work

Figure A provides a look at the soapUI interface with a new project created to access the Amazon S3 Web service. It includes the generation of a new request for the Web service’s CopyObject method. A new request is generated by right-clicking a method name (in the left side of the IDE) and selecting New Request.

With the request generated, you can fill in the necessary data and submit the request via the green Play button in the upper left of the request window. A validation option is available as well to ensure the request XML is valid before you try to submit it. Once you submit a request, you can view the results to see the response (if there is one) from the Web service call.

Figure A

The ability to create mock objects is available within soapUI. It allows you to test a Web service without actually connecting to it. The feature is available by right-clicking a method.

In addition to running a request, you may create a new assertion for testing. The left pane (navigation area) of the IDE includes a node for Tests. This allows you to create new tests and test scripts for validation proper Web service execution.

Integration

SoapUI easily integrates with IDEs and other tools to become a part of your development process. The list of IDEs includes Maven, NetBeans, IntelliJ IDEA, JBoss, and Eclipse. The other tools include code generation and WS-I options. Tools may be associated with soapUI via the Preferences window, as shown in Figure B, which include the configuration for the .NET wsdl.exe tool.

Figure B

Getting soapUI

The soapUI tool is built with Java. The necessary Java files may be installed when soapUI is installed. Its reliance on Java means it can run on many platforms. The download page includes Windows installation files as well as tar files for other systems.

A great aspect of soapUI is its cost — free! Well, the Basic version is available at no cost. A Pro version is available with a one year license for $349. The professional version includes everything that’s in the Basic version, along with product support and additional features for testing such as refactoring, data sources, and drag-and-drop editing.

Don’t forget to test

Testing is an important aspect of every development project. It seems common to test a Web service as part of a bigger system via how the Web service is accessed. However, it is important to fully test the service itself. The soapUI tool allows you to easily write test suites and test cases.

A better way

The soapUI tool provides a great way to interact with and test Web services whether they are your own or third-party offerings. It is a nice alternative to other options I’ve used, such as the built-in features of Visual Studio or hand-coding SOAP requests

The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed Tuesday by Google engineer Tavis Ormandy on the Full Disclosure security mailing list. Coincidentally, Ormandy received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday.

The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft’s first fully 32-bit operating system. VDM allows Windows NT and later to run DOS and 16-bit Windows software.

Yesterday’s advisory spelled out the affected software — all 32-bit editions of Windows, including Windows 7 — and told users how to disable VDM as a workaround. Windows’ 64-bit versions are not vulnerable to attack.

It was Microsoft’s second advisory in seven days; last week, the company posted a warning of a critical flaw in Internet Explorer after Google said its corporate computers had been hacked by Chinese attackers. That bug is to bepatched later today.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” said the newest advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Jerry Bryant, a program manager with the Microsoft Security Response Center (MSRC), said that the company had not seen any actual attacks using the vulnerability, and also downplayed the threat if hackers do exploit the flaw. “To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system,” Bryant said in an e-mail.

Typically, Microsoft ranks this kind of vulnerability — which it classified as an elevation of privilege flaw — as “important,” the second-highest of the four ratings in its four-step system.

Ormandy said that the vulnerability goes back nearly 17 years to Windows NT 3.1’s release, and exists in every version of Windows since. He reported the bug to Microsoft more than seven months ago.

“Regrettably, no official patch is currently available,” Ormandy wrote on Full Disclosure Tuesday. “As an effective and easy-to-deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch.” The workaround Ormandy included in his message was the same as Microsoft’s: Edit group policies to block 16-bit applications from running.

Although Ormandy divulged information about the vulnerability, even posted attack code that works on Windows XP, Server 2003, Vista, Server 2008 and Windows 7, Microsoft didn’t take him to task in the advisory for prematurely revealing the bug, as it almost always does researchers who spill the beans before a patch is ready.

Presumably, Microsoft will issue a fix for the flaw at some point, but as is its practice in security advisories, it didn’t promise to do so. The next regularly-scheduled security update is slated for Feb. 9.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld.

Publicly and privately, the Pentagon pinky-swears that militants haven’t been able to make a dent in U.S. operations, even though they’re able to tap into American overhead surveillance feeds. But at least one Air Force official, under the cover of anonymity, is telling a different story. One militant group in Iraq was able to stay a step ahead of U.S. forces, he says, thanks to their ability to intercept spy drones’ transmissions.

“We noticed a trend when going after these guys; that sometimes they seemed to have better early warning,” the officer tells Air Force Times’ Michael Hoffman and John Reed.

Eventually, American troops were able to raid a safe house of the Kata’ib Hezbollah militia, based out of Baghdad’s Sadr City. As Hoffman and Reed note, the group “has long been suspected of being a surrogate for Iran’s Quds Force.” U.S. forces were surprised at the level of technical sophistication. On confiscated laptops, they found footage taken by both Predator drones and the Army’s fleet of smaller unmanned aerial vehicles, or UAVs.

The Army drones are the most vulnerable to interception, because they broadcast their feeds unencrypted and in every direction. Retrofitting the hand-held Raven UAVs will take “at least two years,” Col. Gregory Gonzalez tells Hoffman. Locking up the Army’s other drones may take even longer.

For the Shadow, Hunter, Warrior Alpha and the Extended-Range Multipurpose UAV, the Army will retrofit all systems with encryption, as funding permits, said Gonzalez.

According to the Air Force’s Unmanned Aircraft Systems Flight Plan, the service has an objective of ensuring “protected communications” on its MQ-1 Predator and MQ-9 Reaper drones by 2014. “Both the MQ-1 and MQ-9 use the proprietary datalinks that are unencrypted and as such susceptible to enemy exploitation,” the Flight Plan notes.

UPDATE: So how important is this security hole, really? Check out the comments in this earlier Danger Room post for a well-informed debate.

UPDATE 2: Air Force officers told me last week that the intercepts were no big deal, because the interceptors were only seeing the raw video shot by the drone or spy plane. Without the metadata to go along with it, the footage was extremely hard to interpret. “As this is video only, it was assessed overall that this capability in the hands of our immediate adversaries posed limited threat to operations or capabilities,” one officer e-mailed.

It turns out that intercepting the metadata isn’t much harder than tapping the video itself. Because “there is also mission control data carried inside the satellite signal to the ground control stations,” according to an analysis carried by Wikileaks. Everything from target locations to drone headings to sensor angles can be pulled off the satellite transmission, too. The more this security breach is examined, the bigger it becomes.

[via wired]

NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008, according to a report issued Thursday by the Government Accountability Office. And, the GAO reports, National Aeronautics and Space Administration systems remain vulnerable despite the establishment of a security operation center last year to deter such incidents.

“The control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA’s sensitive information, as well as inadvertent or deliberate disruption of its system operations and services,” wrote Gregory Wilshusen, GAO’s information security issues director, in a report cosigned by GAO Chief Technologist Nabajyoti Barkakati. “They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted.”

GAO cited a NASA report that said the number of malicious code attacks – 839 – was the highest experienced by any of the federal agencies, which accounted for more than one-quarter of the total number of malicious code attacks directed at federal agencies in 2007 and 2008. GAO cited an official at the U.S.-CERT as saying NASA’s high profile makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.

Reacting to GAO’s findings, House Science and Technology Committee Chairman Bart Gordon, D.-Tenn., sees NASA’s IT vulnerability woes as being emblematic of the cybersecurity problems federal agencies face, despite the passage of a dozen major IT security laws in as many years, the increased attention given by the Clinton and Bush administrations on cybersecurity and $7 billions in annual spending to safeguard IT systems. “Regulation and legislation alone will not suffice,” Gordon said in a statement. “Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities. GAO has performed an invaluable service to NASA by identifying weaknesses and recommending needed improvements.”

Congressional investigators offered a number of security incidents to illustrate NASA’s IT system vulnerabilities, including some this year in which the space agency reported unauthorized access to sensitive data. According to GAO:

One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA’s Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved.

“Significantly,” GAO said, “these were not isolated incidents, since NASA reported 209 incidents of unauthorized access to U.S.-CERT during fiscal years 2007 and 2008.”

Here’s another intrusion, according to the GAO report:

One center was alerted by the NASA SOC (security operations center) in February 2009 about traffic associated with a Seneka Rootkit Bot. In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three centers were also infected with the bot attack.

And another:

In October 2007, a total of 86 incidents related to the Zonebac Trojan were reported by NASA centers. This particular form of malware is capable of disabling security software and downloading and running other malicious software at the whim of the attacker. U.S.-CERT reported in January 2008 on NASA’s ongoing problems with Zonebac and other malware infestations and recommended that the agency employ consistent patching and user education practices to prevent such infections from occurring.

“These attacks can result in damage to applications, data, or operating systems; disclosure of sensitive information; propagation of malware; use of affected systems as bots; an unavailability of systems and services; and a waste of time, money, and labor,” GAO said.