"Stuxnet and Duqu were created on the same [development] platform, but they have nothing in common with Flame," said Schouwenberg. "There's absolutely nothing in common. Stuxnet/Duqu and Flame use completely different development philosophies."

But the then-unpatched bugs may connect the dots.

In fact, Schouwenberg is sure that they do. "The exploits being used by Flame, and that it's spread through USB devices, those are identical to what we found in Stuxnet," he said. "So we definitely think that Stuxnet and Flame were parallel operations. Whoever was behind this contracted two different teams or companies, which then came up with different solutions."

In that scenario, the two teams -- one to create Stuxnet, another to build Flame -- were hired by the same person, people, group or government around the same time, with each team provided the same zero-day vulnerabilities.

Most security experts at least suspect -- if they haven't already jumped to the conclusion -- that Flame was backed by a government.