CCE-45231-8Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2017-08-03 (M)2023-07-04 |
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
Vulnerability:
Disabling or not configuring this setting can compromise security as it may allow a malicious agent to load an unprotected font via an Office application or web browser.
Counter Measure:
Enable and configure this setting depending on your organization's requirements.
Potential Impact:
Some applications may not be compatible with blocking untrusted fonts.
Fix:
(1) GPO: Computer ConfigurationAdministrative TemplatesSystemMitigation OptionsUntrusted Font Blocking
(2) REG: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTMitigationOptions!MitigationOptions_FontBocking
Parameter:
[block_untrusted_fonts_and_log_events/do_not_block_untrusted_fonts/log_events_without_blocking_untrusted_fonts]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking
(2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions!MitigationOptions_FontBocking
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.5 | Attack Vector: NETWORK |
Exploit Score: 1.6 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: REQUIRED |
Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:40189 |