without digging into the full details of how the determinism stuff interplays with the protocol stack, their solution actually might have worked out ok if they had generated a second hash to fill the last 9 bits.
if they had happened to write this implementation just a month or two later, they could've written it to use CryptGenRandom on XP or later, and fallen back to the deterministic approach on Win9x, and this bug would've been avoided.
Npars01