Microsoft has issued an out-of-band patch for two zero-day vulnerabilities in Windows, both of which have been actively exploited. The first flaw (CVE-2021-31166) is a remote code execution vulnerability in the HTTP Protocol Stack, while the second (CVE-2021-31194) is a privilege escalation vulnerability in the Windows Kernel. The vulnerabilities are rated as “Important” and “Moderate” respectively.

Microsoft said that it had detected “limited targeted attacks” exploiting the flaws and urged users to apply the patch as soon as possible. The tech giant said that both vulnerabilities were discovered internally, but did not provide any details on the attackers exploiting them.

The patch comes as Microsoft prepares to issue its monthly batch of security updates. The company said that it had released the out-of-band patch separately as the vulnerabilities were already being actively exploited in the wild. Experts recommend that organizations prioritize applying the patches to avoid the risk of attackers exploiting the flaws to gain unauthorized access or deploy malware.

Read more at: https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-two-zero-day-vulnerabilities