Software used to track US and Russian nuclear weapon resources had a glitch in it that could have caused information about the materials to be lost, a spokesman for the US National Nuclear Security Administration (NNSA), a division of the US Department of Energy, said Monday.
The software bug first came to broad public attention roughly two weeks ago when Bruce Blair, the president of the Center for Defense Information wrote an op/ed article for the Washington Post detailing the story of the flaw, its discovery by Russian researchers and the US reaction. Blair has also posted extensive information about the Russians' findings and his correspondence with them on his Web site.
In 1995, Russian nuclear researchers at the Kurchatov Institute were given software developed and used by the Los Alamos National Laboratories for tracking nuclear material and based on Microsoft Corp.'s SQL Server 6.5, NNSA spokesman Rick Ford said. That software was written using a special command language built into SQL Server, Steve Murchie, group product manager for SQL Server at Microsoft said.
Unbeknownst to both staff at both Los Alamos and Kurchatov, the custom-written code exposed a flaw in SQL Server 6.5 by stretching the abilities of the software's command language, Murchie said. The flaw came into play when large amounts of data were run against the program, causing files to become invisible and inaccessible, but still present in the database, both Ford and CDI's Blair said. Despite claims by the Kurchatov researchers, and repeated by Blair in his Washington Post piece, that the files would be permanently lost, Microsoft's Murchie said that the problem would not persist and that the files would eventually return. Officials at the Kurchatov Institute did not immediately respond to requests for comment.
This glitch might have caused a serious security problem in which "any insider who understood the software could exploit this flaw by tracking the 'disappeared' files and then physically diverting, for a profit, the materials themselves," Blair wrote. However, an inventory of US nuclear materials was taken and all were accounted for, the NNSA's Ford said.
The Russians informed their US counterparts of the flaw in early 2000, who in turn contacted Microsoft. Microsoft offered a work-around and a bug fix, but both were declined by the Department of Energy, Murchie said. Instead, the agency chose to upgrade to SQL Server 7.0, he said, adding that Microsoft tests have found that version 7.0 does not contain the same problem that 6.5 did.
Upgrading to SQL Server 7.0 did not solve the problem, however, according to Kurchatov. In fact, SQL Server 7.0 not only did not fix the original problem, but also introduced a new security hole that could allow unauthorized users access to databases, Blair wrote. This was only a minor issue created if system administrator accounts were created without passwords, and has since been resolved, said Murchie.
Though the original software given to Kurchatov was the same as that being used at Los Alamos, the US version of the software split onto a separate development path in 1996, resulting in "two separate, totally distinct systems," NNSA's Ford said. As such, any flaws found in the Russian version of the software may not be in the US version, he said.
Both the US and Russian systems have been fixed and the bug no longer occurs, according to NNSA's Ford. In his article, however, Blair wrote that "though a fix remains elusive, Kurchatov scientists also have shared a partial repair they developed." Though acknowledging that the Russians had upgraded to SQL 7.0 and that Microsoft had issued a patch for some problems, Blair did say Monday that "a patch may paper over a problem and it may or may not be a real fix."
"As far as I know, they are still concerned that the Microsoft patch was not the answer," he said Monday.
Microsoft disagrees with Blair and Kurchatov.
SQL Server 7.0 and 2000 have both resolved the problem according to Microsoft's testing, Murchie said. The problem experienced in SQL Server 6.5 was a result of the command language, not a flaw in the program itself, and has since been fixed, he said. In fact, the very code that caused the problem in the first place should work fine now, he said, adding that there have been no reports made to Microsoft of the same problem since.
"If it does exist and there's a customer problem, it has not been reported," Murchie said.