United States, Microsoft Agree: No Nuclear Vulnerability

Microsoft is embroiled in yet another controversy, this one regarding alleged SQL Server flaws that could cause data loss in nuclear-weapons centers in Russia and the United States. A recent opinion piece by Center for Defense Information (CDI) President Bruce G. Blair (published by The Washington Post) claims that a SQL Server 6.5 bug caused Russian data to "disappear" and that SQL Server 7.0 includes a less-dangerous version of the bug as well as other security flaws that place data at risk. But the US Department of Energy and Microsoft both responded that the software company long ago provided a fix for the SQL Server 6.5 problem and that the reported SQL Server 7.0 bugs don't exist; hence, no data was—or stands to be—lost. (Blair details the dispute on the CDI Web site at http://www.cdi.org/nuclear/nukesoftware.html.)

Blair reports that two years ago, scientists at the Russian Research Centre Kurchatov Institute in Moscow found the bug in a SQL Server 6.5 nuclear-materials database and claimed that thousands of nuclear missiles would have ended up being unaccounted for if they hadn't uncovered the problem. The Russians said they contacted the United States about the problem (both countries were using SQL Server—based systems to meet weapons-reduction agreements) and that the US Department of Energy and Microsoft acknowledged the bug and gave Russia a fix for it. But according to Blair, the remedy didn't solve the disappearing-data problem, which the Russians found again in SQL Server 7.0. In fact, the Russians claim that potentially devastating security flaws also exist in the newer server version. Microsoft disagrees.

"No data was ever being lost; nothing was disappearing, but we considered that [SQL Server 6.5 bug]—as we consider any security issue—a very high priority," said Steve Murchie, group product manager for SQL Server at Microsoft. "We offered a quick fix." A spokesperson for the National Nuclear Safety Administration (NNSA), which oversees nuclear-materials accounting, backed up Microsoft's claim. "There's no analogous risk [on the US side], as Mr. Blair stated." The spokesperson said that the US tracking system is quite different from the Russian system. The NNSA also noted that no data or actual nuclear materials were ever lost in either country. As far as the alleged SQL Server 7.0 flaws go, Microsoft said that the problem is simply a lack of ordinary security procedures and is unrelated to its database code.

Frankly, the fact that no one actually lost data doesn't refute the existence of a bug. If Microsoft wants this issue to go away, it should document the problems that the Russians ran into and explain how other mission-critical SQL Server installations can work around such flaws.