July 23, 2001 7:40 AM PDT

Microsoft, U.S. dispute nuke software threat

Related Stories

Microsoft readies new database software

August 7, 2000
Microsoft and the U.S. Department of Energy are disputing claims that bugs in Microsoft's database software threatened nuclear security in the United States and Russia.

Earlier this month, Bruce Blair, president of the Center for Defense Information, a nonprofit military research organization based in Washington, D.C., wrote that Russian nuclear scientists last year found a bug in Microsoft's SQL Server database software that threatened the security not only of Russian nuclear weapons materials, but also of U.S. nuclear materials.

Microsoft executives and Energy Department representatives scoff at the charge, saying Blair is making too much of a trivial matter. They say that the two bugs were never a threat, that no data was ever lost, and that the issues Russia had with the software have been resolved. U.S. nuclear data was never at risk, they say.

"Bugs exist, and they get fixed," said Nancy Ambrosiano, a spokeswoman for the Los Alamos National Laboratory.

At issue was software that the laboratory gave Russian researchers to help them protect their country's nuclear materials. Blair, in a column published in The Washington Post, said the Russians found a bug that caused some files to become invisible, though they remained in the database. The fear was that insiders could trace the invisible files and divert nuclear materials for dangerous ends, Blair wrote. Russian scientists alerted Los Alamos lab to the problem for fear that American nuclear materials were at risk, he wrote.

The problem was found in SQL Server 6.5. Russian scientists subsequently upgraded to SQL Server 7.0, a newer release of the database software, to help solve the problem. The scientists discovered that the same bug existed in the newer version, although in a less serious form, along with a new security flaw that could give unauthorized people easy access to information stored in the database, Blair told CNET News.com in an interview Friday.

"There was a dropped item for every 1,000 transactions" in SQL Server 6.5, said Blair, who has uploaded on his organization's Web site e-mail messages from Russian scientists detailing the problems. "With (version) 7.0, (the problem) was reduced in order of magnitude, but it was still a serious problem with dropped files."

Not so, say Microsoft executives and Los Alamos representatives.

They say the bug that caused data to become invisible did exist, but was limited to one Russian facility that customized accounting software the lab had donated. The bug surfaced only in the customized accounting software running on SQL Server and did not appear at other customer sites, said Steve Murchie, Microsoft's group product manager for SQL Server.

Microsoft offered to create a bug fix last year, but the Russian scientists didn't want it, said Murchie.

"We heard this customer application was running some complex (software) code against 6.5 and was returning different results under different circumstances," he said. "We looked at it and offered to create a fix. No data was ever lost."

To solve the problem, the lab suggested that the Russian scientists upgrade to SQL Server 7.0, according to Los Alamos' Ambrosiano. The Russian scientists moved to 7.0 and found a new bug that they said could allow unauthorized users to gain access to information.

Murchie said the bug was a minor problem in Microsoft's instructions for using the software and has been resolved. "It was not a product flaw. Only under circumstances (where) the site (had) no password could anybody get to it," he said. "If normal policies were in place, there's no impact."

Murchie also takes issue with Blair's assertion that someone could have diverted the nuclear information while it was "invisible." Regardless of the software or the system, a knowledgeable insider could attempt to steal or alter information, but the blame would belong to a breakdown in the management of computing systems, not to the software, Microsoft contends.

"The fact of the matter is, any insider with access to an application can corrupt software and divert anything for their own nefarious purpose," Murchie said.

Lab officials said Russia's custom software was never used in the United States and that the United States was never vulnerable to the same problem.

"To our knowledge, there has been no Russian nuclear information lost or any diversion of Russian nuclear material due to the flaw," lab representatives said in a statement. "U.S. nuclear material accountability systems are rigorously tested and have demonstrated capability for tracking all accountable nuclear materials."

Microsoft, which competes against Oracle and IBM in the database software market, sells a new version of its database, called SQL Server 2000.


Join the conversation!
Add your comment
@Cnet. How did an article printed July 23, 2001 7:40 AM PDT end up on the "most popular" tab on August 26, 2010?
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Cause they were running out of things to troll MSFT on so they had to dig something up!
Posted by Adam-M (1901 comments )
Link Flag
@Seaspray0: Because of my website (http://howfuckedismydatabase.com/mssql -> click Yes). Sorry about that CNET ;)
Posted by lozzd (1 comment )
Reply Link Flag
Ya Ruski !
Posted by AndroidFTW (5217 comments )
Reply Link Flag
Geez, this is like news story necro big time. They need to set something to block news articles over a month old from being allowed to be in the top news list.
Posted by JDinKC (303 comments )
Reply Link Flag
which database this article is saved on?

Glad some readers took note of the date as I was much more scared to hear those institutes are running SQL Server 6.7 and 7.0 (which are now 16-12 years old) then the reported bug.

I do hope they upgraded ever since as I doubt today they can get any bug fix to that software.

CNET - remove the link and stop the panic. Did we move away from making up headlines to recycle bad headlines?
Posted by r-e-l (67 comments )
Reply Link Flag
"Microsoft and the U.S. Department of Energy are disputing claims that bugs in Microsoft's database software threatened nuclear security in the United States and Russia."

OMG, they trusted this level of security to Microsoft technology?
That is really scary.
Maybe Microsoft will be the cause of the demise of the USA?
Posted by t8 (3716 comments )
Reply Link Flag
Did you read the article publishing date like the rest or you just hate microsoft? This article was published in 2001 and SQL server 7.0 was obsolete 10 years ago.

For another fact - Microsoft may be blamed for bugs but it gets work done and puts money on 70% of computer users pockets
Posted by cng256 (13 comments )
Link Flag
Don't use nuclear materials and you will not get in troubles, manga de boludos!
Posted by oocanto (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.