No sooner had the virtual ink dried on our commentary on the alarming Troj_emfsploit.A Trojan, than the company that discovered it – Trend Micro – scaled down its claims.

The gist was that the malware appeared to be exploiting a “critical” vulnerability only two days after Microsoft had patched it. Now it turns out that this claim was in error.

It looked like hard evidence that vulnerabilities were now being exploited almost as quickly as they could be patched, the obvious implication of which was that a major “zero day” exploit was in the offing.

There are a number of metrics at work in assessing the possibility of zero day exploits.

First, there is the rate at which patches are being developed as vulnerabilities are unearthed by the research and vendor community. Next, there is the rate at which malware is being developed to creep through the holes in software. This is definitely getting closer to “zero day” scenario.

The only zero day that really matters is one that affects a major piece of software and in a major way. How quickly this happens if anybody’s guess, but it is no great act of prediction to say it will happen one day.

The final factor is supposed to be the extent and speed at which systems are being patched by customers, but clearly there is a mysterious fourth dimension at work - the speed at which anti-virus vendors can crank out there warnings of disaster narrowly averted.

In Trend’s case, this was a zero day of the wrong sort. They reported an exploit before it had actually been created.