Block programs from loading untrusted fonts in Windows 10

Microsoft implemented a new security feature in Windows 10's November update build that added an option to the operating system to block the loading of untrusted fonts.

The use of fonts has always been problematic in the Windows operating system from a security point of view as bugs in font-handling code could give attackers high-level privileges.

Bulletins such as MS15-078 indicate that the Windows font system is targeted regularly, and one way to mitigate the impact of these attacks was the new untrusted font blocking security feature built-into Windows 10.

I have mentioned the feature when I reviewed the new version of Microsoft EMET, as it shipped with support for it, but it has been likely missed by at least some users, hence this new article.

Untrusted fonts blocking

font mitigation options

The security feature needs to be enabled in the Windows Registry, and there for every machine that you want to enable the feature on.

  1. Tap on the Windows-key, type regedit.exe and hit enter.
  2. Confirm the UAC prompt if it is displayed.
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
  4. Right-click on Kernel, and select New > QWORD (64-bit) Value and name it MitigationOptions.
  5. Double-click on MitigationOptions afterwards and use one of the following values for the feature:
  6. To turn it on: 1000000000000
  7. To turn it off: 2000000000000
  8. To set it to audit mode: 3000000000000

Note: It is highly suggested to set the untrusted font blocking security feature to audit mode first, as you may run into issues with third-party applications after enabling the feature on a machine running Windows 10.

Alternatively, if you are running Microsoft EMET 5.5 on the machine, you may enable the "block untrusted fonts" feature using the application interface.

block untrusted fonts emet

If you set it to audit mode, all blocked font loading attempts are written to the event log.

  1. Tap on the Windows-key, type eventvwr.exe and hit enter.
  2. Navigate to Application and Service Logs/Microsoft/Windows/Win32k/Operational.
  3. Scroll down to EventID: 260 and review the entries you find there.

Configuring exceptions

Some programs may not load or display correctly after you enable untrusted font blocking in Windows 10. While you may be able to resolve some of the issues directly, for instance by enforcing the use of system fonts in the application, you may run into issues with some apps where that is not an option.

Microsoft added an option to the security feature that enables you to set exceptions for these processes.

  1. Tap on the Windows-key, type regedit.exe and hit enter.
  2. Confirm the UAC prompt.
  3. Navigate to HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  4. Right-click on Image File Execution Options, and select New > Key.
  5. Use the full file name of the process that you want to exclude, e.g. winword.exe or firefox.exe, so that the key looks like this HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe.
  6. Repeat this for every process you want to exclude.

Additional information about the blocking of untrusted fonts are available on Microsoft's Technet website.

Side Note: Google enabled the feature individually for its Chrome web browser running on Windows 10 recently according to an Ars Technica report improving security for Chrome users on Windows 10 in the process.

Summary
Article Name
Block programs from loading untrusted fonts in Windows 10
Description
Find out how to block programs from loading untrusted fonts on Microsoft's new Windows 10 operating system.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Block programs from loading untrusted fonts in Windows 10

  1. Earl February 5, 2016 at 9:39 am #

    Late '70s time frame...

    "Hey, guys... we got some leftover bytes here--what should we do with 'em?"
    "Hmmm... oh, I know! Let's run 'em! ...see what happens--gotta be fun, right?"
    "Kewl!"
    (and thus a whole cottage industry was born--two actually: malware creators on one side, and AV folk (and everyone else) on the other side... "Kewl!" [yeah, right].)

  2. Maelish February 5, 2016 at 4:23 pm #

    Unless I am reading this wrong, this can also block web-fonts that aren't trusted by Microsoft. If so, it seems like a challenge to Google Fonts.

    Am I wrong?

  3. chesscanoe February 5, 2016 at 5:25 pm #

    It's great to know my primary browser under Windows 10 is Chrome Version 48.0.2564.103 m as of yesterday. I assume the font benefit is there, although searching on "font" in Chrome Release notes for all current versions produced no hits.

  4. S2015 February 5, 2016 at 7:57 pm #

    In someway, this would cause some potentially undesired trouble to inexperienced even advanced Photoshop users, as they often need some 3rd-party sources to create their work. Again, the user should scan the downloads via an up-to-date malware protection.

Leave a Reply