CVE-2021-28455

FAQ

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

How do the security updates address this vulnerability?

The security updates address the vulnerability by providing the ability to configure the Jet Red Database Engine or Access Connectivity Engine to block access to remote databases. You might need to do this when you allow unprivileged users to run custom SQL queries in JET or ACE. See KB5002984: Configuring Jet Red Database Engine and Access Connectivity Engine to block access to remote databases for more information.

If I do not disable these SQL queries, is there any other way I can be protected from this vulnerability?

No. Allowing ‘External database queries’ can expose you to security risks if you accept adhoc SQL queries or have a SQL injection flaw in your system which could allow an unknown user to specify ‘external databases’ – this could open you to a possible security exploit. If you understand the risks and are confident you do not have a SQL adhoc/injection flaw you could consider not disabling this feature.

If after disabling the registry values as listed in KB5002984 you choose to re-enable them, it might make your device vulnerable to attack by a malicious user or malicious software. We do not recommend that you re-enable these registry values but are providing this information so that you can choose to implement this at your own discretion. Use this at your own risk.