Fonts seem innocent when on the computer. Most of the time, we do not even pay attention to the fonts on webpages except when they are too hard on eyes. But untrusted fonts on webpages may be misused by hackers to compromise your network. This post explains how to block untrusted fonts in Windows 10.
While working locally, almost all the fonts we use, come from the %windir%/fonts folder. That is, the fonts are installed into the Windows fonts folder when Windows or any other application is installed. These are trusted fonts and do not pose any threat. When we encounter such fonts on webpages, they are loaded from the local fonts folder.
But when the fonts on a webpage are not present on our computer – i.e., the local fonts folder – a copy of that font is loaded into our computer’s memory and that is when a cyber-criminal can gain access to your network.
Dangers of untrusted fonts
When a webpage utilizes a font that is already present in the local fonts folder, the browser picks up the fonts from the local folder to render the webpage. Since the fonts in local font folder are scrutinized by antivirus programs when being installed, they do not pose a threat.
When a website or webpage utilizes a font that is not present in local fonts directory or folder, browsers will need “elevated privileges” to load a copy of the fonts into local memory by downloading them to the computer. Simple downloads are not much of an issue as the antimalware packages will detect if the fonts contain any malware. There is no threat of malware with such fonts. The issue is “elevated privileges” that can be found and exploited by the cybercriminals. If they take control of browser under such a situation, they are capable of doing much harm to not only the computer but to the network as a whole.
The best method is to avoid browsers from using “elevated privileges” and that can be done in Windows 10 by blocking the fonts that are not present in the local folder. In such cases, the website will be rendered by substituting the untrusted website fonts with the trusted fonts in local folder. This may however, cause the webpage to render improperly and create problems while printing.
Three states available for untrusted fonts in Windows 10
There are three options available to you when it comes to untrusted fonts in Windows 10. They are:
- Block the fonts
- Audit mode: you do not actually block the font but you keep a log that shows if untrusted fonts were loaded and if yes, which website and application used them
- Exclusion of apps: You can whitelist some of the apps on Windows 10 to use untrusted fonts if you think they won’t be a problem; For example, if you whitelist Word app, it can utilize third-party fonts originating from the Internet even though you have blocked untrusted fonts
The best method, in my opinion, given the limited number of options, is to block all untrusted fonts and whitelist only those apps that pose less threat via downloading fonts to local memory. Compared to a browsers, apps like Microsoft Word, Excel, etc. pose less of a threat as when the fonts are downloaded, your antimalware is triggered and if it finds anything objectionable, it will give you a message or block the downloaded fonts. Browsers, on the other hand, are a complex architecture (relying on rendering engines and processors etc.) so even if the antimalware blocks fonts in memory, cybercriminals may still be able to take control of the machine easily.
Block untrusted fonts in an Enterprise
Using Registry Editor
To block untrusted fonts in Windows 10 and to whitelist apps that can use untrusted fonts, you will have to use the Windows Registry Editor. As of now, there is no graphical user interface that makes it easier for the admins. The following explains how to block untrusted fonts in Windows 10.
- Press WinKey+R and in the Run dialog that appears, type regedit and hit Enter key
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
- Look for entry named MitigationOptions. If it is not there, create a QWORD entry of 64 bit and name it MitigationOptions
- There will already be a value for the QWORD entry we created; copy paste the following values to BEFORE the value so that the value is there in towards the end of value we pasted
- For turning off untrusted fonts, enter 1000000000000. To run audit mode, enter 3000000000000. To turn it off, enter 2000000000000. For example, if there is a value of 1000 already in the QWORD we created, it should look 30000000000001000
- Close the registry editor, save work in any other applications that might be open and reboot the computer.
As mentioned earlier, there may be problems viewing the websites or printing when you turn off untrusted fonts. To get around it, it is recommended that you download and install the font manually into the %windir%/fonts folder. That will make it safer to browse the website using that font. Though you can exclude or whitelist apps, it should be done only if you can install the fonts for some reasons.
Using Group Policy Editor
If you use Windows 10 Enterprise and Windows 10 Pro editions, you can make use of the Local Group Policy Editor.
Run gpedit.msc to open the Local Group Policy Editor and navigate to the following setting:
Computer Configuration > Administrative Templates > System > Mitigation Options.
In the right pane you will see Untrusted Font Blocking. Select Enabled and the choose Block untrusted fonts and log events from the drop-down meu.
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
Using EMET 5.5 and later
Enhanced Mitigation Experience Toolkit now lets you block untrusted fonts
How to view log of apps accessing untrusted fonts
If you choose the audit method, you will find that none of the untrusted fonts are blocked. Instead, a log will be created that you can use to see which app accessed which untrusted font type and where, when etc. details. To view the log, open Windows Event Viewer. Go to Application and Service Logs/Microsoft/Windows/Win32k/Operational.
Under the EventID: 260, you will find all the log entries related to access of untrusted fonts by different browsers and apps during the runtime of the local computer. An example of the event log would be as follows:
WINWORD.EXE attempted loading a font that is restricted by font loading policy.
This type of entry would be shown when you have completely blocked the untrusted fonts from loading on local computers. It also shows that download of untrusted font happened but was blocked by the policy you created using the Windows Registry Editor.
Another example could be:
Iexplore.exe attempted loading a font that is restricted by font loading policy.
In the above case, the untrusted fonts are not blocked as shown by the entry. It also shows that the browser attempted download of the fonts to local memory and was used.
The above explains untrusted fonts, dangers posed by untrusted fonts and finally, how to block untrusted fonts in Windows 10. If you have any doubts or anything to add, please comment.