A newly discovered configuration flaw in Microsoft’s AppLocker block list policy exposes a subtle yet critical security loophole. The issue revolves around an incorrect setting in the MaximumFileVersion field, which was configured as 65355.65355.65355.65355 instead of the correct 65535.65535.65535.65535. This versioning mistake inadvertently created a gap in the application control framework, allowing any binary with a version number between these two values to potentially evade AppLocker restrictions. This discovery highlights how even minor misconfigurations in security policies can be leveraged by threat actors if not addressed promptly.

The flaw can be exploited when an attacker modifies a known blocked executable’s version metadata to exceed the incorrect maximum version. By altering this metadata to a version above 65355, the executable could bypass AppLocker’s enforcement and run, assuming only block list-based control is applied. However, such manipulation typically invalidates the file's digital signature, which plays a crucial role in Microsoft’s broader security model. This means that while the executable may evade the block list policy, it would still be blocked under a code signing policy if such a policy is in place.

This layered security approach significantly mitigates the real-world impact of the vulnerability. AppLocker is intended to work in tandem with code-signing policies that only allow signed binaries to run. Therefore, even if the MaximumFileVersion is incorrectly configured, the digital signature validation process would still stop tampered files from executing. Nonetheless, organizations that rely solely on AppLocker block lists without enforcing code-signing restrictions remain at risk of potential exploitation through this version metadata bypass.

The vulnerability originated from a documentation error on Microsoft’s own Publish Page, which mislisted the maximum version value. Following a responsible disclosure by the Researcher, Microsoft has since corrected the error. This case serves as a cautionary tale on the importance of validating security configurations rather than blindly copying them from official documentation. Enterprises are urged to audit their AppLocker configurations, correct the MaximumFileVersion setting, and enforce a defense-in-depth strategy by combining application control with strict code-signing requirements.