Generally for malware a zero-day threat means there is no fix for the vulnerability. Originally intended to mean the system designers have "zero days" to get a fix developed to avoid infection.

Lots of vulnerabilities (a feature that could be exploited to let malware onto the computer) are found before any malware that attacks that vulnerabilty has been found, so a certain amount of delay in getting the vulnerability plugged isn't a problem. Estimating how long you might have to fix it depends on guessing how soon someone will figure out how to use it.

An alternate interpretation is that the malware is already out there and nobody has a fix.

This IE8 malware is a zero-day thing, since malware using it has already appeared and has been used to infect computers.

The "fix" is just a way for the computer to "work around" the problem. (Sort of a sidestep or jump-over the puddle so you don't fall in kind of thing.) It does not eliminate the problem.

A "patch" that does remove the vulnerability will be provided for those who need it "later." (Microsoft promises.)

John