The Java flaw, which Google researcher Tavis Ormandy disclosed publicly on April 9, was patched by Sun yesterday with an emergency out-of-cycle fix after evidence surfaced that it was being exploited on one Web site. Researchers at FireEye have seen some other sites using the exploit against visitors, as well. The company has published a detailed analysis of the exploit, which it says is quite simple. The site, which is offline now, was hosting the exploit in a familiar fashion. The main page directed users to a secondary page, on which the exploit itself was actually hosted.
Source: https://threatpost.com/inside-java-0-day-exploit-041610/73839/