One of the ways to attack Windows machines gaining popularity is the exploitation of vulnerabilities in Windows font driver by means of loading and running a special crafted font file. To implement such attack, a hacker just has to make a user open a specially constructed document, web-page or run an app (safe as it is), which loads a font containing the malicious code from an external source. In Windows 10, there appeared an integrated feature to prevent loading and running third-party fonts, i. e., those not installed in the system and not located in %WINDIR%\Fonts directory.
To manage third-party fonts loading, a separate group policy setting appeared, which can be found in Computer Configuration -> Administrative Templates -> System -> Mitigation Options section of gpedit.msc console. The setting is called Untrusted Font Blocking. 3 modes of this policy are available:
- Block untrusted fonts and log events completely prevents applications from loading third-party fonts from any folder, except for %windir%\Fonts, and log all related events
- Do not block untrusted fonts doesn’t block third-party fonts (by default)
- Log events without blocking untrusted fonts is a so-called audit mode, when loading and installation of third-party fonts is not blocked, but the information about the font and the application, which has installed it, is logged
In Windows 10 Home editions (with no Group Policy Editor), this security feature can be managed only using the registry. To do it, create a parameter QWORD (64-bit) with the name MitigationOptions in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ branch of the registry. Assign one of the following values to the parameter:
- Font blocking enabled – 1000000000000
- Disabled – 2000000000000
- Audit mode – 3000000000000
After you have made the changes, restart your computer.
If you need that the font blocking policy not to be applied to a specific application, it can be added as an exception. For example, in order Outlook to correctly display letters with integrated fonts, create a subkey with the name of the executable file of the application in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options branch of the registry. In our example, it is outlook.exe.
If the audit policy is enabled, all related events are in the Application-> Service Logs -> Microsoft -> Windows -> Win32k ->Operational section of the application system log. We need the events with the EventID 260
You can also manage third-party font blocking using Microsoft EMET 5.5. To do it, enable the Block Untrusted Fonts option in the EMET interface.