XSLT is an XML-based transformation language that allows you to transform or create XML document using XSLT stylesheets. XSLT has been disabled by default in Firefox since Firefox 41. This update temporarily re-enables XSLT by default. If you have disabled XSLT and are currently vulnerable to this vulnerability, you will need to re-enable XSLT to work around the issue. On Windows, if you have disabled XSLT, you will receive a notification in the Windows taskbar. To re-enable XSLT, click the notification and click the "OK" button to enable XSLT. Once XSLT has been re-enabled, you will need to wait for it to be activated by Firefox. It usually takes about 15 seconds for XSLT to be enabled.
How to Enable or Disable XSLT in Firefox
To enable or disable XSLT in Firefox, follow these steps:
1. Open your Firefox browser.
2. Click on the menu button ("three horizontal lines") and select "Options."
3. Select "Advanced."
4. In the "Content" section, find and select "XSLT." When you click on that option, you will see a list of options for how to handle XSLT content.
5. If you don't want any possibility of being vulnerable to CVE-2022-38473, please disable XSLT by selecting “Don't use any stylesheets” from the list of options (the default setting).
6. To re-enable XSLT, select either “Enable all types” or “Enable selected types” from the list of options on the left side of the page and then click on “Ok” to save your changes.
What is the purpose of this check?
This check is to determine if Firefox has disabled XSLT. If so, Firefox will have to be re-enabled before the vulnerability can be exploited.
What is the XSLT vulnerability?
A vulnerability exists in the handling of XSLT stylesheets. This vulnerability can be exploited by malicious people to manipulate the behavior of XSLT processors. The vulnerability is not exploitable from inside a sandbox and does not affect Firefox's other sandboxes such as JavaScript and WebGL.
The purpose of this blog post is to provide you with some insight on how to protect yourself from a new XSLT vulnerability that has recently been discovered. The following are six ways that you can use to prevent exploitation:
#1- Disable XSLT in Firefox
#2- Add "requestPolicyDisallow" to your policy filter
#3- Use a Content Security Policy (CSP)
#4- Patch your system
How do I enable XSLT?
To enable XSLT, you will need to follow these steps:
1. Open the Mozilla Firefox browser.
2. Click the "Options" button in the Firefox toolbar.
3. Click on the "Content" tab and scroll down to "XML Transformations".
4. Check the box to enable XSLT on your computer, then click OK to close this dialog box.
5. If you're using Windows, close Mozilla Firefox and open it again after 15 seconds or so for XSLT to be enabled and activated by Firefox.
What is the XSLT feature?
XSLT is an XML-based transformation language that allows you to transform or create XML document using XSLT stylesheets. XSLT has been disabled by default in Firefox since Firefox 41. This update temporarily re-enables XSLT by default. If you have disabled XSLT and are currently vulnerable to this vulnerability, you will need to re-enable XSLT to work around the issue.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 21:12:00 UTC
References
- https://www.mozilla.org/security/advisories/mfsa2022-35/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1771685
- https://www.mozilla.org/security/advisories/mfsa2022-34/
- https://www.mozilla.org/security/advisories/mfsa2022-33/
- https://www.mozilla.org/security/advisories/mfsa2022-37/
- https://www.mozilla.org/security/advisories/mfsa2022-36/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38473