United States, Microsoft Agree: No Nuclear Vulnerability

Microsoft denies reports that a SQL Server bug has compromised vital data in Russia's nuclear-missile databases.

Paul Thurrott

October 30, 2001

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft is embroiled in yet another controversy, this one regarding alleged SQL Server flaws that could cause data loss in nuclear-weapons centers in Russia and the United States. A recent opinion piece by Center for Defense Information (CDI) President Bruce G. Blair (published by The Washington Post) claims that a SQL Server 6.5 bug caused Russian data to "disappear" and that SQL Server 7.0 includes a less-dangerous version of the bug as well as other security flaws that place data at risk. But the US Department of Energy and Microsoft both responded that the software company long ago provided a fix for the SQL Server 6.5 problem and that the reported SQL Server 7.0 bugs don't exist; hence, no data was—or stands to be—lost. (Blair details the dispute on the CDI Web site at http://www.cdi.org/nuclear/nukesoftware.html.)

Blair reports that two years ago, scientists at the Russian Research Centre Kurchatov Institute in Moscow found the bug in a SQL Server 6.5 nuclear-materials database and claimed that thousands of nuclear missiles would have ended up being unaccounted for if they hadn't uncovered the problem. The Russians said they contacted the United States about the problem (both countries were using SQL Server—based systems to meet weapons-reduction agreements) and that the US Department of Energy and Microsoft acknowledged the bug and gave Russia a fix for it. But according to Blair, the remedy didn't solve the disappearing-data problem, which the Russians found again in SQL Server 7.0. In fact, the Russians claim that potentially devastating security flaws also exist in the newer server version. Microsoft disagrees.

"No data was ever being lost; nothing was disappearing, but we considered that [SQL Server 6.5 bug]—as we consider any security issue—a very high priority," said Steve Murchie, group product manager for SQL Server at Microsoft. "We offered a quick fix." A spokesperson for the National Nuclear Safety Administration (NNSA), which oversees nuclear-materials accounting, backed up Microsoft's claim. "There's no analogous risk [on the US side], as Mr. Blair stated." The spokesperson said that the US tracking system is quite different from the Russian system. The NNSA also noted that no data or actual nuclear materials were ever lost in either country. As far as the alleged SQL Server 7.0 flaws go, Microsoft said that the problem is simply a lack of ordinary security procedures and is unrelated to its database code.

Frankly, the fact that no one actually lost data doesn't refute the existence of a bug. If Microsoft wants this issue to go away, it should document the problems that the Russians ran into and explain how other mission-critical SQL Server installations can work around such flaws.

Read more about:

Microsoft

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like