18.07.2025
2 min
586
An incorrect value for the MaximumFileVersion field in the AppLocker configuration allowed attackers to run prohibited applications, bypassing security policies — all because of a trivial error in the version published in the official Microsoft documentation.
that Microsoft in its documentation recommended an AppLocker configuration with an incorrect version limit: 65355.65355.65355.65355 instead of the maximum value of 65535.65535.65535.65535. This meant that any executable file with a version greater than 65355 was not subject to the limit, allowing modified malicious applications to run even if blocked. However, changing the file version metadata results in the loss of the digital signature, so policies that allow only signed applications to run remain a reliable barrier. The issue only becomes critical when an organization relies solely on the block list without mandatory signature verification. Following Varonis’ report, Microsoft updated its documentation to correct the version value.
AppLocker is a Windows application launch control system that allows administrators to set rules that prohibit the launch of unwanted files. Its effectiveness depends on the accuracy of the settings. The vulnerability arose not because of the technology itself, but because of copying configurations from incorrect documentation, which once again confirms that even a small mistake in security policies can have serious consequences.
This incident proves the importance of thoroughly reviewing all security settings and implementing a multi-layered defense model. Organizations should urgently review their AppLocker policies, update the MaximumFileVersion value to 65535.65535.65535.65535, and ensure that digital signature verification is enabled. A secure infrastructure starts with attention to detail.
