Paige Henley
Published on: July 23, 2025
A small mistake in Microsoft’s security settings could let attackers run blocked programs — unless extra protections are in place.
Security researchers at Varonis discovered that Microsoft’s suggested settings for AppLocker (a tool used to stop unwanted programs from running) contain a typo in a critical version number. The setting, called MaximumFileVersion, was mistakenly written as 65355 instead of the correct 65535.
That difference matters. “For example, an attacker can modify a ‘blocked’ executable’s version to exceed the ‘maximum’ version, allowing it to run and bypass the restrictions.” explained Eric Saraga, Director at Varonis Threat Labs.
AppLocker uses version numbers to decide whether a program is safe. If a hacker takes a known bad file and bumps its version number just above 65355, AppLocker might no longer block it, because the version looks newer than the block list allows.
But there’s a catch: changing a file’s version information breaks its digital signature. And on systems that only allow signed (verified) programs to run, this trick won’t work.
The real risk? Organizations that copied Microsoft’s faulty settings but didn’t enable code signing rules. Those systems could let tampered programs run freely.
The incident is a reminder that even official settings can contain mistakes, and blindly copying them can lead to real vulnerabilities. Experts recommend checking your policies, updating the version limit, and always using multiple layers of security.
Microsoft fixed the error in its documentation after being notified.
