views:

166

answers:

1

Hi all,

I've recently found a very nonobvious solution for a Microsoft CryptoAPI issue. Because of a read-only flag on the (seemingly unrelated) CREDHIST file, the whole CryptoAPI stack was wildly misbehaving, from CryptAcquireContext() upwards. For the greater common good, I'd like to see this documented in MS KB, where it belongs.

From my past exploits around the MS KB I know that strangers aren't supposed to submit articles; only MS employees and contractors do. So I'm looking for a MS-affiliated sponsor who'd submit the article on my behalf. The credit does not matter; articles are anonymous anyway.

Full write-up here: http://social.msdn.microsoft.com/Forums/en/windowssecurity/thread/11b08625-b432-4667-ab82-a7e0ed008fc3

+9  A: 

Try submitting the relevant comments, writeup, etc. via the "Send comments about this topic to Microsoft" link from a top-level CryptoAPI MSDN page (which just generates an email).

EDIT: If you're a TechNet subscriber, you have two free incidents you can use to contact Microsoft about this. You'll also get guaranteed forum replies from Microsoft with a subscription. If you don't subscribe, you can pay some money for a one-time incident. Or, if you can phrase it as a Vista SP1 issue, you might be able to get some attention for free.

Michael Petrotta
Did that, but I wonder if anyone reads them. I'm not marking this as an answer just yet :)
Seva Alekseyev
Yes, I believe it is a well-monitored address. I've never sent that one myself, but from my experience with other similar addresses, the response is good.
AviD
I'm not a TechNet subscriber. It's $50 for a single incident. I'll think of it...
Seva Alekseyev
Got a response from MSFT. Thanks.
Seva Alekseyev