Microsoft Quietly Moved Font Parsing to AppContainer in the Anniversary Update
Last May on Petri, I wrote about a security feature in Windows 10 that enables the blocking of untrusted fonts. Fast forward a year and news of a change in the Windows 10 Anniversary Update has rendered this setting less-useful with Microsoft recommending that it should not be enabled.
In this Ask the Admin, I’ll explain the changes and why you probably should not enable Untrusted Font Blocking in Group Policy.
Windows 10 contains a security feature that allows system administrators to prevent users loading fonts not located in the trusted %windir%/Fonts directory. This should help to prevent remote web-based and local escalation of privilege attacks that can occur when Windows uses graphics device interface (GDI) APIs to load and render fonts. There are three levels of operation: On, Audit, and Exclude apps to load untrusted fonts. However, enabling the Untrusted Font Blocking settings comes with some drawbacks, including causing sites in Internet Explorer that use embedded fonts to revert to using a default font. For more information on the Untrusted Font Blocking setting, see Windows 10 Tip: Block Untrusted Fonts on Petri.
The Windows 10 Anniversary update included a new always-on mitigation against GDI parsed fonts. Although, Microsoft only published information about it on its website six months later. Because blocking GDI parsed fonts caused so many issues for users, Microsoft needed to come up with a more effective workaround. Starting in the Anniversary Update, GDI font parsing is moved from kernel mode to a sandboxed user-mode AppContainer that has no capabilities, which is the minimum of privileges under a system-generated virtual account. It is worth noting that not all fonts are rendered using GDI APIs. For instance, Microsoft Edge uses the user-mode DirectWrite font-rendering engine.
Using an AppContainer for GDI font parsing has led Microsoft to change its previous recommendation to enable Untrusted Font Blocking. It believes that the new parsing process has an acceptably low risk. Despite that the change was introduced in the Anniversary Update, Microsoft is only now altering the recommended setting for Untrusted Font Blocking in the security baseline settings for the Creators Update.
Clearly, the new method for mitigating attacks against the GDI font parser is a compromise between security and usability, but the ill effects of enabling the Untrusted Font Blocking setting are too disruptive for all but the highest security environments. I recommend that you take Microsoft’s advice and leave the Untrusted Font Blocking setting disabled unless you have a credible reason to believe that your organization is at increased risk of falling victim to vulnerabilities that might exist.
In this article, I explained the changes to GDI font parsing in the Windows 10 Anniversary Update and why Microsoft is no longer recommending organizations enable Untrusted Font Blocking.