Block programs from loading untrusted fonts in Windows 10

[Batu69]

Microsoft implemented a new security feature in Windows 10's November update build that added an option to the operating system to block the loading of untrusted fonts.

 

The use of fonts has always been problematic in the Windows operating system from a security point of view as bugs in font-handling code could give attackers high-level privileges.

 

Bulletins such as MS15-078 indicate that the Windows font system is targeted regularly, and one way to mitigate the impact of these attacks was the new untrusted font blocking security feature built-into Windows 10.

 

I have mentioned the feature when I reviewed the new version of Microsoft EMET, as it shipped with support for it, but it has been likely missed by at least some users, hence this new article.

Untrusted fonts blocking

 

The security feature needs to be enabled in the Windows Registry, and there for every machine that you want to enable the feature on.

1. Tap on the Windows-key, type regedit.exe and hit enter.
2. Confirm the UAC prompt if it is displayed.
3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
4. Right-click on Kernel, and select New > QWORD (64-bit) Value and name it MitigationOptions.
5. Double-click on MitigationOptions afterwards and use one of the following values for the feature:
6. To turn it on: 1000000000000
7. To turn it off: 2000000000000
8. To set it to audit mode: 3000000000000

Note: It is highly suggested to set the untrusted font blocking security feature to audit mode first, as you may run into issues with third-party applications after enabling the feature on a machine running Windows 10.

 

Alternatively, if you are running Microsoft EMET 5.5 on the machine, you may enable the "block untrusted fonts" feature using the application interface.

 

 

If you set it to audit mode, all blocked font loading attempts are written to the event log.

1. Tap on the Windows-key, type eventvwr.exe and hit enter.
2. Navigate to Application and Service Logs/Microsoft/Windows/Win32k/Operational.
3. Scroll down to EventID: 260 and review the entries you find there.

 

Configuring exceptions

 

Some programs may not load or display correctly after you enable untrusted font blocking in Windows 10. While you may be able to resolve some of the issues directly, for instance by enforcing the use of system fonts in the application, you may run into issues with some apps where that is not an option.

 

Microsoft added an option to the security feature that enables you to set exceptions for these processes.

1. Tap on the Windows-key, type regedit.exe and hit enter.
2. Confirm the UAC prompt.
3. Navigate to HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
4. Right-click on Image File Execution Options, and select New > Key.
5. Use the full file name of the process that you want to exclude, e.g. winword.exe or firefox.exe, so that the key looks like this HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe.
6. Repeat this for every process you want to exclude.

Additional information about the blocking of untrusted fonts are available on Microsoft's Technet website.

 

Side Note: Google enabled the feature individually for its Chrome web browser running on Windows 10 recently according to an Ars Technica report improving security for Chrome users on Windows 10 in the process.

 

Article source