A software vulnerability exploited by cyberweapons including Stuxnet and Flame is still being used to attack millions of users around the world four years after it was patched, a Kaspersky analysis has suggested.

The firm’s analysis looked at detections of malware trying its luck against CVE 2010-2658, an important flaw discovered to be affecting Windows XP, Vista, Windows 7, Server 2002 and Server 2008 in July 2010, and whose popularity remains strangely undimmed among cybercriminals.

Between November 2013 and June 2014, Kaspersky Lab detected 19 million systems encountering malware that appeared to be using exploits targeting it, 64 percent of which were running Windows XP.

The top country registering these exploits was Vietnam (42.4 percent), India (11.7 percent), Indonesia (9.4 percent), Brazil (5.5 percent) and Algeria (3.7 percent), with a clutch of other developing countries also showing high levels of XP use featuring on the list. 

CVE 2010-2658 was first noticed in the Sality worm and Stuxnet attacks in 2010, and was eventually patched by Microsoft in early August. As it happens, the persistence of this flaw is probably explained by Sality, detections of which seem to coincide closely with its activity.

Conclusions? Kaspersky Lab is cagey about how many real-world attacks these ‘detections’ translate into (the exploit created malicious shortcuts that can in theory be created by other malware) but it does implies a large number of machines are probably vulnerable to it despite the widespread availability of a patch.

Many of these systems also run Windows XP and may never be properly patched against a range of known software flaws.

“Kaspersky Lab’s experts presume that most of these stem from poorly maintained servers without regular updates or a security solution installed. These servers may also be inhabited by worms that use malware exploiting this vulnerability,” said Kaspersky Lab researcher, Yuri Ilyin.

But according to Tim Erlin, security R&D director at security firm Tripwire, the figures may be an underestimate of the true scale of the problem.

“Kaspersky is only seeing part of the picture here.As a malware detection product, they have recorded and measured ‘detections of exploits’ rather than the vulnerability itself,” he said.

“They can infer from the exploit activity that the vulnerability is present, but there may be many more systems that are vulnerable, but not yet being exploited.”

Although impossible to prove, it seemed likely that the large number of detections in certain countries was related to the number of unpatched systems, he said.