Earlier this month, Bruce Blair, president of the Center for Defense Information, a non-profit-making military research organisation based in Washington, DC, wrote that Russian nuclear scientists last year found a bug in Microsoft's SQL Server database software that threatened the security not only of Russian nuclear weapons materials, but also of American nuclear materials. Microsoft executives and Energy Department representatives scoffed at the charge, saying Blair is making too much of a trivial matter. They said that the two bugs were never a threat, that no data was ever lost and that the issues Russia had with the software have been resolved. US nuclear data was never at risk, they said. "Bugs exist, and they get fixed," said Nancy Ambrosiano, a spokeswoman for the Los Alamos National Laboratory. At issue was software that the laboratory gave Russian researchers to help them protect their country's nuclear materials. Blair, in a column published in The Washington Post, said the Russians found a bug that caused some files to become invisible, though they remained in the database. The fear was that insiders could trace the invisible files and divert nuclear materials for dangerous ends, Blair wrote. Russian scientists alerted Los Alamos lab to the problem for fear that American nuclear materials were at risk, he wrote. The problem was found in SQL Server version 6.5. Russian scientists subsequently upgraded to SQL Server 7.0, a newer release of the database software, to help solve the problem. The scientists discovered that the same bug existed in the newer version, although in a less serious form, along with a new security flaw that could give unauthorised people easy access to information stored in the database, Blair told CNET News.com in an interview on Friday. "There was a dropped item for every 1,000 transactions" in SQL Server version 6.5, said Blair, who has uploaded email messages from Russian scientists on his organisation's Web site detailing the problems. "With (version) 7.0, (the problem) was reduced in order of magnitude, but it was still a serious problem with dropped files." Not so, say Microsoft executives and Los Alamos representatives. They say the bug that caused data to become invisible did exist, but was limited to one Russian facility that customised accounting software the lab had donated. The bug surfaced only in the customised accounting software running on SQL Server and did not appear at other customer sites, said Steve Murchie, Microsoft's group product manager for SQL Server. Microsoft offered to create a bug fix last year, but the Russian scientists didn't want it, said Murchie. "We heard this customer application was running some complex (software) code against 6.5 and was returning different results under different circumstances," he said. "We looked at it and offered to create a fix. No data was ever lost." To solve the problem, the lab suggested that the Russian scientists upgrade to SQL Server 7.0, according to Los Alamos' Ambrosiano. The Russian scientists moved to 7.0 and found a new bug that they said could allow unauthorised users to gain access to information. Murchie said the bug was a minor problem in Microsoft's instructions for using the software and has been resolved. "It was not a product flaw. Only under circumstances (where) the site (had) no password could anybody get to it," said Murchie. "If normal policies were in place, there's no impact." Murchie also takes issue with Blair's assertion that someone could have diverted the nuclear information while it was "invisible." Regardless of the software or the system, a knowledgeable insider could attempt to steal or alter information, but the blame would belong to a breakdown in the management of computing systems, not the software, Microsoft contends. "The fact of the matter is any insider with access to an application can corrupt software and divert anything for their own nefarious purpose," he said. Lab officials said Russian's customised software was never used in the United States and that the US was never vulnerable to the same problem. "To our knowledge, there has been no Russian nuclear information lost or any diversion of Russian nuclear material due to the flaw," lab representatives said in a statement. "US nuclear material accountability systems are rigorously tested and have demonstrated capability for tracking all accountable nuclear materials." Microsoft, which competes against Oracle and IBM in the database software market, sells a new version of its database called SQL Server 2000. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum. Let the editors know what you think in the Mailroom. And read other letters.