Mitigate AppLocker Vulnerability using BigFix content from bigfix.me

A newly identified Windows security flaw lets hackers install malicious apps on any machine. Found by Casey Smith, the Windows vulnerability allow malicious hackers to take advantage of the security flaw on enterprise versions of Windows dating back to Windows 7.

Microsoft has not yet provided a fix for the issue, but users can disable the Regsvr program using Windows Firewall.

You can use a BigFix task to apply the mitigation to this vulnerability. This is accessible through https://bigfix.me/fixlet/details/20257

References

The original post from Casey Smith:
http://subt0x10.blogspot.sg/2016/04/bypass-application-whitelisting-script.html

2 Likes

Thanks for sharing – just a note for readers, this fixlet enables all profiles of the Windows Firewall so if your organization has the Windows Firewall disabled for any reason, this Fixlet will likely cause many issues in your environment.

Thanks William, that’s correct.

Thanks much for sharing!

Any thoughts on whether an ACL to Deny:Execute for Users on regsvr32.exe would be effective? I’d expect that regsvr32 would mostly be used by software installers, which should execute as LocalSystem in a BigFix environment.

I’d guess that applying an ACL on regsvr32.exe should be more-or-less compatible…at least as far back as XP, STIG had the permissions set for only Administrator and SYSTEM to have Full Control -