Posted on May 17, 2016 · Posted in Windows 10

Block Untrusted Fonts in Windows 10

One of the ways to attack Windows machines gaining popularity is the exploitation of vulnerabilities in Windows font driver by means of loading and running a special crafted font file. To implement such attack, a hacker just has to make a user open a specially constructed document, web-page or run an app (safe as it is), which loads a font containing the malicious code from an external source. In Windows 10, there appeared an integrated feature to prevent loading and running third-party fonts, i. e., those not installed in the system and not located in %WINDIR%\Fonts directory.

To manage third-party fonts loading, a separate group policy setting appeared, which can be found in Computer Configuration -> Administrative Templates -> System -> Mitigation Options section of gpedit.msc console. The setting is called Untrusted Font Blocking. 3 modes of this policy are available:

  1. Block untrusted fonts and log events completely prevents applications from loading third-party fonts from any folder, except for %windir%\Fonts, and log all related events
  2. Do not block untrusted fonts doesn’t block third-party fonts (by default)
  3. Log events without blocking untrusted fonts is a so-called audit mode, when loading and installation of third-party fonts is not blocked, but the information about the font and the application, which has installed it, is logged

Untrusted Font Blocking - Windows 10 Policy

In Windows 10 Home editions (with no Group Policy Editor), this security feature can be managed only using the registry. To do it, create a parameter QWORD (64-bit) with the name MitigationOptions in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ branch of the registry. Assign one of the following values to the parameter:

  1. Font blocking enabled – 1000000000000
  2. Disabled – 2000000000000
  3. Audit mode – 3000000000000

MitigationOptions - regisrty

After you have made the changes, restart your computer.

If you need that the font blocking policy not to be applied to a specific application, it can be added as an exception. For example, in order Outlook to correctly display letters with integrated fonts, create a subkey with the name of the executable file of the application in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options branch of the registry. In our example, it is outlook.exe.

Image File Execution Options

Tip. Keep in mind that if the font blocking policy is active some programs may not be displayed correctly. So, it is recommended to study the work of the popular corporate applications in the audit mode. The necessary third-party font files can be centrally installed using a vbs script.

Set objSh = CreateObject("Shell.Application")
Set objFld = objSh.Namespace("c:\install\font")
Set objFSO = CreateObject("Scripting.FileSystemObject")
For Each FontFile In objFld.Items()
Set objFldItem = objFld.ParseName(FontFile)
If Not objFSO.FileExists("c:\windows\fonts\" & FontFile) Then
objFldItem.InvokeVerb ("Install")
End If

If the audit policy is enabled, all related events are in the Application-> Service Logs -> Microsoft -> Windows -> Win32k ->Operational section of the application system log. We need the events with the EventID 260

You can also manage third-party font blocking using Microsoft EMET 5.5. To do it, enable the Block Untrusted Fonts option in the EMET interface.

Microsoft EMET 5.5 - Block Untrusted Fonts

Related Articles