Earlier this month, Bruce Blair, president of the Center for Defense Information, a nonprofit military research organization based in Washington, DC, wrote that Russian nuclear scientists last year found a bug in Microsoft's SQL Server database software that threatened the security not only of Russian nuclear weapons materials, but also of US nuclear materials.
Microsoft executives and Energy Department representatives scoff at the charge, saying Blair is making too much of a trivial matter. They say that the two bugs were never a threat, that no data was ever lost, and that the issues Russia had with the software have been resolved. US nuclear data was never at risk, they say.
"Bugs exist, and they get fixed," said Nancy Ambrosiano, a spokeswoman for the Los Alamos National Laboratory.
At issue was software that the laboratory gave Russian researchers to help them protect their country's nuclear materials. Blair, in a column published in The Washington Post, said the Russians found a bug that caused some files to become invisible, though they remained in the database. The fear was that insiders could trace the invisible files and divert nuclear materials for dangerous ends, Blair wrote. Russian scientists alerted Los Alamos lab to the problem for fear that American nuclear materials were at risk, he wrote.
The problem was found in SQL Server 6.5. Russian scientists subsequently upgraded to SQL Server 7.0, a newer release of the database software, to help solve the problem. The scientists discovered that the same bug existed in the newer version, although in a less serious form, along with a new security flaw that could give unauthorized people easy access to information stored in the database, Blair said in an interview Friday.
"There was a dropped item for every 1,000 transactions" in SQL Server 6.5, said Blair, who has uploaded on his organization's Web site email messages from Russian scientists detailing the problems. "With (version) 7.0, (the problem) was reduced in order of magnitude, but it was still a serious problem with dropped files."
Not so, say Microsoft executives and Los Alamos representatives.
They say the bug that caused data to become invisible did exist, but was limited to one Russian facility that customized accounting software the lab had donated. The bug surfaced only in the customized accounting software running on SQL Server and did not appear at other customer sites, said Steve Murchie, Microsoft's group product manager for SQL Server.
Microsoft offered to create a bug fix last year, but the Russian scientists didn't want it, said Murchie.
"We heard this customer application was running some complex (software) code against 6.5 and was returning different results under different circumstances," he said. "We looked at it and offered to create a fix. No data was ever lost."
To solve the problem, the lab suggested that the Russian scientists upgrade to SQL Server 7.0, according to Los Alamos' Ambrosiano. The Russian scientists moved to 7.0 and found a new bug that they said could allow unauthorized users to gain access to information.
Murchie said the bug was a minor problem in Microsoft's instructions for using the software and has been resolved. "It was not a product flaw. Only under circumstances (where) the site (had) no password could anybody get to it," he said. "If normal policies were in place, there's no impact."
Murchie also takes issue with Blair's assertion that someone could have diverted the nuclear information while it was "invisible". Regardless of the software or the system, a knowledgeable insider could attempt to steal or alter information, but the blame would belong to a breakdown in the management of computing systems, not to the software, Microsoft contends.
"The fact of the matter is, any insider with access to an application can corrupt software and divert anything for their own nefarious purpose," Murchie said.
Lab officials said Russia's custom software was never used in the United States and that the United States was never vulnerable to the same problem.
"To our knowledge, there has been no Russian nuclear information lost or any diversion of Russian nuclear material due to the flaw," lab representatives said in a statement. "U.S. nuclear material accountability systems are rigorously tested and have demonstrated capability for tracking all accountable nuclear materials."
Microsoft, which competes against Oracle and IBM in the database software market, sells a new version of its database, called SQL Server 2000.