[openasocket]

Which part is odd? You can use standard APIs like GetAsyncKeyState() or various utilities for screen scraping and reading the paste buffer to make a key logger, no vulnerabilities required. We still consider such a thing malware of course. The point is exploiting vulnerabilities is not a necessary condition for something to be considered malware.

[yeukhon]

He's probably referring to injecting/deploying the keylogger in the first place. Either it came with a malicious software, via a system exploit, or someone installed it having physical access.

[openasocket]

Or, like in the case of Judy, people installed it willingly, because it was hidden inside a game. If a game or some sort of application people install on their machine had a key logger component, we'd consider that malware, and still no vulnerabilities needed, just basic social engineering.