Only two days after Microsoft issued a patch for a “critical” flaw related to the graphics rendering engine in Windows, Trend Micro has unearthed a Trojan out to exploit it.

As it happens, the Troj_emfsploit.A (Trend’s name) does nothing worse than cause the core Windows explorer.exe shell to crash, which is merciful. The vulnerability could, according to Microsoft, have resulted in an attacker taking complete control of any Windows 2000, XP (including SP2) and Windows Server 2003 PC.

Anti-virus vendors are a miserable bunch, forever frightening us with yet another dreadful portent. Anyone would think they profited from such fear.

This one is significant, however, and could make those folksy-sounding patch Tuesday bug patches Microsoft has turned into a monthly event a good deal more tense in future.

How long before a major software company of the ilk of Microsoft faces issuing a patch for a vulnerability that has already been exploited? This is the so-termed “zero day” issue and the speed at which Trojans are being cranked out now suggests this will happen soon, if hasn’t happened already.

We could be about to enter a world of real-time patching, with periods of vulnerability being measure in minutes rather than in days, as at present. It is possible that the average enterprise with money to throw at one of the legion of companies looking to provide real-time security services, will be able to cope.

Can such a service be automated? Doubtful. Patches need to be tested if they relate to core elements of the operating system or the services it provides. This is always going to involve someone, somewhere scratching their head and making a sensitive judgment.

Nobody in the early days of software could have forseen it, but code is now evolving with a genetic fedundity not far short of a Drosphila fruit fly. Security has done that to us.