Varonis Threat Labs identified a nuanced vulnerability within Microsoft’s AppLocker, an enterprise-grade application control solution designed to prevent unauthorized software execution on Windows systems. AppLocker functions by enforcing rules that permit or deny specific executables, scripts, and DLLs, and organizations heavily depend on it for malware prevention and compliance. Microsoft transparently documents potential bypasses, which aids security administrators in configuring effective countermeasures.
The core of the vulnerability lies in a minor but significant discrepancy in Microsoft’s suggested AppLocker configuration. Varonis researchers discovered that the MaximumFileVersion field was mistakenly set to 65355 instead of the correct maximum of 65535. This numerical error creates a gap, as files with version numbers between these two values could theoretically bypass AppLocker rules if their version was manipulated to fall within this unchecked range.
Despite the potential for bypass, the practical impact of this vulnerability is significantly mitigated by common security practices.
Any modification to a file’s version number inevitably breaks its digital signature. Therefore, systems configured to allow only digitally signed executables would still block such tampered files, effectively preventing the exploit from succeeding in many real-world scenarios. This critical limitation is why the vulnerability is not classified as “critical” but rather as an important configuration issue.
Following Varonis’s responsible disclosure, Microsoft has addressed the issue by updating its official documentation to reflect the correct MaximumFileVersion values. This swift action helps prevent future misconfigurations based on outdated guidance.
The incident serves as a pertinent reminder that even seemingly small details in security configurations can lead to unexpected vulnerabilities.
The discovery underscores the necessity for organizations to diligently review and update their AppLocker policies. By ensuring that their security configurations align with the latest best practices and corrected documentation, organizations can proactively close potential security gaps. This vigilance is crucial for maintaining a robust security posture against sophisticated attackers who might seek to exploit even the most subtle weaknesses.
Reference:
