UPDATE: thanks to the Rubber Duck effect, I just stumbled upon this note. It is a known problem: if you have Windows XP and either manually or with some "hack" managed to download the Windows Update of February 9th, 2015, Arial and Courier get screwed.

Windows Vista Users: the same applies, but since Vista is still supported, it happens automatically and always (unless you uninstall the KB3013455 update, and disable it from Windows Update before it self-reinstalls).

Original question

I have an older PC with XP Pro SP3 installed.

All of a sudden two fonts (at least), Arial and Courier New, started looking different. Arial is tolerable if a bit fuzzy; curves sprouted extra pixels, and some characters have enlarged elements (for example the horizontal bar of the 4 is two pixels tall, the bar from the 5 is one pixel only). Courier New has become pretty horrible, and seems to be actually missing whole horizontal scan lines.

The extra pixels would make one think of ClearType but those settings are correct (and unchanged since ages ago), and the usual voodoo of setting them to wrong values and then back to the correct ones avails nothing.

I checked several other questions and solutions that looked promising but nothing seems to work.

Thinking that the fonts had gotten damaged somehow (all others appear OK - I switched from Courier New to Consolas wherever possible) I replaced them with backup copies. Then I also reverted the system back to a configuration of one week ago, which was surely working. To no apparent effect.

Deleting the font cache (C:\WINDOWS\system32\FNTCACHE.DAT) has it reappear somewhat smaller (as expected) on next reboot, but does not fix the problem.

The PC is otherwise working properly and all other fonts render as they always did; I managed to retrieve a screenshot of two months ago with some text in several fonts, and by rewriting the same words compared the two images, which are identical pixel per pixel (unfortunately the screenshot did not include either Arial or Courier New - but, to know that those two aren't OK, I need no test).

I'm really at a loss as to what could be causing this.

    You made an update - is this still actually a question? If it's a known problem, then I guess there is nothing you can do - XP is no longer supported as you know... If the link you provide solves it, I suggest you remove that link from your question and answer your own question with that information
  • I'm working on that - it's not my main computer. Uninstalling the update would fix the problem except that I could not find that particular update in the time I had. Will retry later. In a pinch I'll try and restore win32k.sys from backups.
  • The fix, KB3037639, does not install automatically (at least as of today). Millions of users should be affected by this. So ... where are they? Commented Feb 25, 2015 at 15:01
  • It installs and wreaks havoc on XPs that have been tweaked into still updating, instead of remaining quietly exploitable, and on surviving Vista PCs, of which few probably remain. Where are those millions of users? Either happy, safe and using Windows 7/8, or happy, unsafe and unaware of it.
It turns out that Windows did not parse too accurately all the fields and data structures within True Type fonts, and it is therefore possible for a naughty "font" to present invalid information to Windows and making it crash or, theoretically, seizing control and executing malicious code.

And since it's possible to embed a True Type font in a web site, this has some very disturbing implications - especially since most antiviruses don't usually examine fonts too closely. You visit a web site, or perhaps just a web page containing an advertising HTML banner with its own fonts, and bang!, pwn3d.

So quite correctly KB3013455 fixes this, adding several more checks; and naughty fonts can no longer do anything.

Except that... what would happen if some system fonts failed those same checks, or contained information that was slightly off, and nobody had ever realized it because the required checks and settings were never put in place?

It would happen that those slightly and unintentionally naughty fonts, and no others, would suddenly start misbehaving -- reporting to the system sizes and hints that were never reported before. And they would look slightly bad - Arial - or almost unreadable - Courier New.

Until a new fix supplied a "properly behaved" version of both sets of font files (there's eight of them, I think - normal, italic, bold, and bold italic, two each).

That's what happened.

Until the new fix, the choice is:

  1. Replace the two fonts with suitable alternatives in all affected programs. Segoe UI and Consolas work for me (I've also heard good things of a free font called Inconsolata). For some browsers, it is possible to setup a font replacement via plugins or settings. Wait for the fixed fonts to come up. Ideally, it shouldn't take long. In the interim, the PC is protected against a "font attack". RECOMMENDED.

    • to fix Firefox: locate the userContent.css file in your Firefox profile. If there is no such file, locate the AppData\Mozilla\Firefox\Profiles\RANDOM_STRING\chrome directory and create a file called userContent.css. In this file place (or add if it already exists)

    @font-face { font-family: 'Arial'; src: local('Segoe UI'); } @font-face { font-family: 'Courier New'; src: local('Consolas'); } @font-face { font-family: 'Times New Roman'; src: local('Linux Libertine'); }

(Of course the "local" fonts must be installed!).

  1. Uninstall the KB3013455 fix (and remain vulnerable). Except maybe you can't.

    • easy: KB3013455 is present in Control Panel, Applications, [x] Show Updates, Sort by Date, and look for January or February 2015. Uninstall (*). But depending on (#) it might not be there.
    • almost as easy: Start > Accessories > System Utilities > System Restore, and restore a previous configuration. You should see "Software Distribution Service". Choose the "System Shutdown" checkpoint before that. Reboot, and you're done (*). Depending on (#) you might not have Restore Points available.
    • difficult. Retrieve a copy of win32k.sys from before January 2015 from some full backup. Boot from a Linux boot disk or Windows Rescue disk. Rename the existing win32k.sys to win32k.xyz, copy the good win32k.sys into C:\WINDOWS\SYSTEM32, reboot and hope it works.

(*) At the next boot or soon after, the system will ask for an update of one or more packages, and you will need to not install KB3013455 and check "Do not ask me in the future". If (#) forces an update without telling anything, or the fonts look good but revert to being fuzzy after one or more further reboots, (#) is the culprit, but how to make things work out depend on its nature.

(#) Windows XP cannot update since it's end of life. Why is it updating? Because there are ways to keep the thing alive long after it should be dead. One such fix that I found is to have it report being "WEPOS System", a XP flavour used for ATMs that's supported for some more years (?), with a registry "fix". Another way is to have a utility that pulls the updates from somewhere - the WEPOS Windows Update site perhaps, or some virus lord's basement tank - and trick XP into believing it's the official Windows Update service. Whatever it is that updates Windows, you need to tell it to leave KB3013455 alone.

Update: things "fixing/updating" XP you may have to thank for the Arial/Courier/Times mess

This is a list of possible causes of more or less silent update(s) to an end-of-lifed XP:

  1. The "WEPOS" registry hack.
  2. Something related to McAfee (reported by @rboblenz). I've found some articles relating to an "unability to update XP", which would seem to imply that McAfee has some ability of updating XP, but nothing clearly stated in their site. Even so, if you have a McAfee product, that might be the explanation.
  3. A couple of tools that allow(ed) to have a pirated copy of XP and keep it updated and, apparently, keep it updated after EOL downloading updates from... somewhere. (And who wouldn't feel comfortable in trusting their data - bank account credentials possibly included - to such solutions? After all, what's the worst that might happen?)

The problem has been detected and there is a patch available at microsoft.

At this page


you can reach windows update 3037639. Install it, reboot, and that's all folks...


I am experiencing the SAME symptoms with Courier New and Arial fonts with Vista Home Premium SP2. Glad I'm not the only one experiencing this problem.

KB3013455 was apparently installed on 2/11 by McAfee; along with dozens of updates to Office 2007. I have located it, and it looks like it is uninstalling. Now wants to restart.

There is also a FREE "Dark Courier.TTF" available which is very nice, and fixes the problem for Courier where you can select an alternate font.

  • Looks like uninstalling KB3013455 fixed Courier so hoping the same for Arial... Happy hunting...Wow...who would think that a malicious web page could whack your fonts..... Makes you want a MAC...
  • Looks like an answer now...
  • It won't whack your fonts: now that you have KB3013455 uninstalled, it might take control of your computer. Except that if few enough users are affected, maybe no cracker out there will bother writing an exploit. Hopefully.
  • My system rebooted itself at 3:20 am and reinstalled KB3013455 and whacked my fonts again...so I had to un-install it yet again. Windows is not letting me block the KB3013455. AAAhhhh....Maybe Microsoft should consider fixing this bug before issuing the update... Seems like it should be whacking EVERYONE's Courier New and Arial.... (BTW: the FREE "Dark Courier.TTF" has a shorter line height than vanilla Courier New, so it does not play well with my VB6 lists that are looking for 34 visible rows and getting 37...) so not very good for a direct replacement unfortunately
  • I am on Vista Home Premium SP2. I was assuming that McAfee was managing the updates (and not Windows Update)...
