Researchers Costin Raiu, Boris Larin and Alexey Kulaev said in a detailed blog post that they had been unable to find the exploit used for remotely exploiting Chrome.
This is not surprising as Google's Project Zero team has rarely revealed full details about zero-days in its own products.
The Kaspersky trio said the two Windows zero-days had been in the operating system since the days of Windows Vista, which means they have been there for more than 14 years.
Additionally, Microsoft issued patches for some 50 other flaws in its various products.
Despite being unable to zero in on the Chrome vulnerability, the Kaspersky researchers said they suspected the flaw used had been demonstrated at the Pwn2Own hacking competition in April.
The bug was used by Bruno Keith and Niklas Baumstark of Dataflow Security to target Chrome and Edge in the Web browser category.
Satnam Narang, staff research engineer at security shop Tenable, said: Microsoft had addressed 49 CVEs, five of which were rated critical. "This is the third time in 2021 that Microsoft has patched less than 60 CVEs and this month's release contains the lowest number of patches in a month so far this year," he added.
He said six zero-day vulnerabilities that have been exploited in the wild were patched, including four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution vulnerability.
"CVE-2021-33742 is a remote code execution vulnerability in the Microsoft Windows MSHTML Platform. While this vulnerability does not require special privileges, the attack complexity for exploiting this vulnerability is high, which means an attacker would need to perform additional legwork to successfully exploit this flaw. It appears that was the case, though details of in-the-wild exploitation are not yet known," Narang said.
"CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. Details about the in-the-wild exploitation of these vulnerabilities are not yet known. While both vulnerabilities require the attacker to be authenticated to the target system, it is likely that they have been leveraged either post-compromise by the attackers directly or through the use of a malicious file opened by a local user.
"CVE-2021-33739 is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library. For context, Microsoft patched two elevation of privilege vulnerabilities in February (CVE-2021-1732) and April (CVE-2021-28310) which appear to be linked to a threat actor known as BITTER APT. In the case of CVE-2021-28310, researchers linked the flaw to the dwmcore.dll file. Given that CVE-2021-33739 is credited to the same researchers who found CVE-2021-1732 in February, and was discovered in the same core library as CVE-2021-28310, it is feasible this is another zero-day being leveraged by the same BITTER APT group.
"While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organisations apply these patches as soon as possible. Unpatched flaws remain a problem for many organisations months after patches have been released."