A major configuration flaw in Microsoft’s AppLocker block list policy has been identified, showing how attackers might bypass security restrictions due to a subtle versioning mistake. The problem lies in an incorrect MaximumFileVersion value that introduces a vulnerability in Microsoft’s application control system. This emphasizes the need for accurate security policy implementation in enterprise environments.
According to Varonis Threat Labs, the issue originates from a small but impactful error in Microsoft’s recommended AppLocker configuration. The MaximumFileVersion field was mistakenly set to 65355.65355.65355.65355 instead of the correct 65535.65535.65535.65535. This misconfiguration creates a version range gap that can be exploited by attackers to bypass restrictions. It is found in Microsoft’s block list. Since 65535 is the highest value for an unsigned 16-bit integer, any executable with a version number between 65355.65355.65355.65355 and 65535.65535.65535.65535 could potentially avoid policy enforcement.
Attackers could change the version metadata of a blocked executable to exceed the configured maximum, allowing it to run despite being on the block list. Although this finding is alarming at first glance, the actual security risk is reduced by Microsoft’s layered security system. AppLocker’s block list is intended to function alongside code signing policies that only allow signed executables to operate. If an attacker alters an executable’s version information, the file’s digital signature becomes invalid. This causes the modified file to be rejected by the system’s policy requiring valid signatures. This layered security approach shows that even when one control fails, others can still provide protection.
However, organizations that depend only on the block list without using code signing policies may be exposed to this bypass method. An investigation into the source of the error traced it to Microsoft’s own documentation. The incorrect 65355 value appeared in Microsoft’s Publish Page, but has now been corrected after Varonis reported it. This case highlights how documentation errors can lead to real security risks when configurations are copied without proper review. The discovery is a strong reminder for security teams to carefully examine policy settings, avoid blindly copying recommendations, and use multiple layers of defense. Organizations using AppLocker should update their MaximumFileVersion settings and implement complete application control policies to reduce exposure.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
