Amadey Botnet – Active IOCs
July 28, 2025Oyster Malware Targets IT Admins via SEO Poisoning – Active IOCs
July 28, 2025Amadey Botnet – Active IOCs
July 28, 2025Oyster Malware Targets IT Admins via SEO Poisoning – Active IOCs
July 28, 2025Severity
High
Analysis Summary
A newly discovered configuration flaw in Microsoft’s AppLocker block list policy exposes a subtle yet critical security loophole. The issue revolves around an incorrect setting in the MaximumFileVersion field, which was configured as 65355.65355.65355.65355 instead of the correct 65535.65535.65535.65535. This versioning mistake inadvertently created a gap in the application control framework, allowing any binary with a version number between these two values to potentially evade AppLocker restrictions. This discovery highlights how even minor misconfigurations in security policies can be leveraged by threat actors if not addressed promptly.
The flaw can be exploited when an attacker modifies a known blocked executable’s version metadata to exceed the incorrect maximum version. By altering this metadata to a version above 65355, the executable could bypass AppLocker’s enforcement and run, assuming only block list-based control is applied. However, such manipulation typically invalidates the file's digital signature, which plays a crucial role in Microsoft’s broader security model. This means that while the executable may evade the block list policy, it would still be blocked under a code signing policy if such a policy is in place.
This layered security approach significantly mitigates the real-world impact of the vulnerability. AppLocker is intended to work in tandem with code-signing policies that only allow signed binaries to run. Therefore, even if the MaximumFileVersion is incorrectly configured, the digital signature validation process would still stop tampered files from executing. Nonetheless, organizations that rely solely on AppLocker block lists without enforcing code-signing restrictions remain at risk of potential exploitation through this version metadata bypass.
The vulnerability originated from a documentation error on Microsoft’s own Publish Page, which mislisted the maximum version value. Following a responsible disclosure by the Researcher, Microsoft has since corrected the error. This case serves as a cautionary tale on the importance of validating security configurations rather than blindly copying them from official documentation. Enterprises are urged to audit their AppLocker configurations, correct the MaximumFileVersion setting, and enforce a defense-in-depth strategy by combining application control with strict code-signing requirements.
Impact
- Security Bypass
- Gain Access
- Update the MaximumFileVersion in AppLocker policies to the correct value: 65535.65535.65535.65535.
- Audit all existing AppLocker configurations for copied or outdated block list values.
- Implement and enforce code-signing policies to ensure only digitally signed executables are allowed to run.
- Avoid blindly copying configurations from documentation—validate all settings before applying them in production.
- Regularly review and test security policies for effectiveness and potential misconfigurations.
- Stay informed about vendor updates and apply corrections from official sources promptly.