Microsoft AppLocker Flaw Lets Malicious Apps Bypass Security Restrictions

Security researchers at Varonis Threat Labs have identified a subtle but significant vulnerability in Microsoft’s AppLocker security feature that could allow malicious applications to bypass established security restrictions.

While not classified as a critical vulnerability, the discovery highlights important gaps in enterprise security configurations that organizations should address.

AppLocker serves as Microsoft’s enterprise-grade application control solution, functioning essentially as a digital gatekeeper that determines which applications and files can execute on Windows systems.

Organizations rely on this security feature to prevent malware infections, maintain regulatory compliance, and control software installations across their networks.

The system operates by enforcing predefined rules that either allow or block specific executables, scripts, and dynamic link libraries (DLLs) from running.

Microsoft maintains a comprehensive resource documenting applications that can potentially bypass AppLocker restrictions, regularly updating this list with newly discovered vulnerabilities.

This transparency helps security administrators understand potential attack vectors and configure appropriate countermeasures.

The Version Number Discrepancy

The vulnerability stems from an apparently minor but consequential error in Microsoft’s suggested AppLocker configuration.

Varonis researchers discovered that the MaximumFileVersion field was incorrectly set to 65355 instead of the expected maximum value of 65535.

This seemingly small numerical discrepancy creates a significant security gap that attackers could potentially exploit.

The difference between these values is crucial because 65535 represents the maximum value for an unsigned 16-bit integer, while 65355 falls short of this limit.

This creates a range of file versions between 65355.65355.65355.65355 and 65535.65535.65535.65535 that could slip through AppLocker’s restrictions undetected.

Attackers could theoretically exploit this vulnerability by modifying a blocked executable’s version number to exceed the configured maximum version, potentially allowing malicious software to execute despite AppLocker restrictions.

However, the practical impact of this vulnerability is significantly limited by standard security practices.

When an attacker modifies a file’s version information, this action simultaneously breaks the file’s digital signature.

Consequently, systems configured with “signed executables only” policies would still block such modified files, effectively neutralizing the potential threat.

This limitation prevents the vulnerability from being classified as critical, though it remains an important configuration issue.

Following Varonis’s responsible disclosure of this discovery, Microsoft has taken corrective action to address the underlying documentation error.

The company has updated its official documentation to reflect the correct maximum file version values, helping prevent future misconfigurations.

This incident serves as a valuable reminder that even seemingly minor details in security configurations can create unexpected vulnerabilities.

Organizations should regularly review and update their AppLocker policies to ensure alignment with current best practices and close any potential security gaps that could be exploited by sophisticated attackers.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now