Microsoft’s AppLocker Flaw Allows Malicious Apps to Run and Bypass Restrictions

A critical configuration flaw in Microsoft’s AppLocker block list policy has been discovered, revealing how attackers could potentially bypass security restrictions through a subtle versioning error. 

The issue centers on an incorrect MaximumFileVersion value that creates an exploitable gap in Microsoft’s application control framework, highlighting the importance of precise security policy implementation in enterprise environments.

Key Takeaways
1. Incorrect MaximumFileVersion (65355 vs 65535) opens an AppLocker bypass.
2. Tampered binaries lose valid signatures, so signed-only policies still stop attacks.
3. Fix by updating the block-list value and auditing all copied security configs.

AppLocker Config Vulnerability

Varonis Threat Labs reports that the vulnerability stems from a seemingly minor but significant discrepancy in Microsoft’s suggested AppLocker configuration. 

Researchers found that the MaximumFileVersion field was incorrectly set to 65355.65355.65355.65355 instead of the expected 65535.65535.65535.65535. 

This error creates a version range gap that malicious actors could exploit to bypass application restrictions.

The problematic configuration appears in Microsoft’s block list as:

Since 65535 represents the maximum value for an unsigned 16-bit integer, any executable with a version number between 65355.65355.65355.65355 and 65535.65535.65535.65535 could theoretically slip through the policy enforcement. 

An attacker could modify a blocked executable’s version metadata to exceed the configured maximum, allowing it to execute despite being on the block list.

While this discovery initially appears concerning, the practical security impact is significantly mitigated by Microsoft‘s layered security approach. 

The AppLocker block list policy is designed to work in conjunction with code signing requirements that only permit signed executables to run on the system. 

When an attacker modifies an executable’s version information, this process inevitably breaks the file’s digital signature, causing the modified file to be blocked by the broader “signed executables only” rule.

This multilayered security design demonstrates that even when one control mechanism has a flaw, complementary security measures can prevent exploitation.

However, organizations relying solely on the block list without implementing code signing policies could potentially be vulnerable to this bypass technique.

Microsoft Addresses Documentation Source

Investigation into the error’s origin traced it back to Microsoft’s own documentation. The incorrect 65355 value appeared in Microsoft’s Publish Page documentation, which has since been corrected following Varonis’s responsible disclosure. 

This incident underscores how documentation errors can propagate into production security policies when administrators copy configurations without thorough validation.

The discovery serves as a reminder that security professionals must carefully review all policy configurations, avoid blind copy-pasting of security rules, and implement defense-in-depth strategies. 

Organizations using AppLocker should consider updating their MaximumFileVersion settings to proper values and ensure comprehensive application control policies are in place to prevent potential bypasses.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now