About the blocking untrusted fonts feature
Because fonts use complex data structures and can be embedded into webpages and documents, they can be vulnerable to elevation of privilege (EOP) attacks. EOP attacks mean that a malicious hacker can remotely access a user's computer when users share files or surf the web. To strengthen security against these attacks, we have created a feature to block untrusted fonts. Using this feature, you can turn on a global setting that stops users from loading untrusted fonts that are processed by the Graphics Device Interface (GDI). Untrusted fonts are any fonts that are installed outside the %windir%/Fonts directory. The blocking untrusted fonts feature helps stop both remote (web-based or email-based) and local EOP attacks that can occur during the font file-parsing process.
How does this feature work
There are three ways to use this feature:
- On. Helps stop any font being loaded that is processed by using GDI and is installed outside the %windir/Fonts% directory. It also turns on event logging.
- Audit. Turns on event logging, but does not block fonts from loading, regardless of location. The names of the applications that use untrusted fonts appear in your event log.
Note If you are not ready to deploy this feature in your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
- Exclude apps to load untrusted fonts. You can exclude specific applications. It allows them to load untrusted fonts, even when the feature is turned on.
Potential reductions in functionality
After you turn this feature on, users might experience reduced functionality in following situations:
- Sending a print job to a shared printer server that uses this feature and where the spooler process has not been specifically excluded. In this situation, any fonts that are not already available in the server's %windir%/Fonts folder will not be used.
- Printing using fonts provided by the installed printer's graphics .dll file, outside the %windir%/Fonts folder. For more information, see Introduction to Printer Graphics DLLs.
- Using first or third-party apps that use memory-based fonts.
- Using Internet Explorer to view websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all the characters, so the website might render differently.
- Using desktop Office to view documents that have embedded fonts. In this situation, content is displayed by using a default font picked by Office.
How to turn on and use the blocking untrusted fonts feature
To turn this feature on, off, or to use audit mode, use one of the following methods.
Using Group Policy
- Open Local Group Policy Editor.
- Under Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Mitigation Options.
- In the Untrusted Font Blocking setting, you can see the following options:
- Block untrusted fonts and log events
- Do not block untrusted fonts
- Log events without blocking untrusted fonts
Using Registry Editor
- Open Registry Editor (regedit.exe) and go to the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
- If the MitigationOptions key is not there, right-click and add a new QWORD (64-bit) Value, naming it as MitigationOptions.
- Update the Value data of the MitigationOptions key, and make sure that you keep your existing value, like the important note below:
- To turn this feature on. Type 1000000000000.
- To turn this feature off. Type 2000000000000.
- To audit with this feature. Type 3000000000000.
Important Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000.
- Restart your computer.