The exploited flaw (CVE-2013-2423) affects only client deployments of Java (versions 7u17 and before), and allows remote attackers to execute malicious code without having to authenticate themselves in order to do it.
According to Timo Hirvonen, anti-malware analyst at F-Secure, the kit sporting the exploit is CrimeBoss, and the exploit has been partially copied from the source code of the Metasploit module that targets the flaw.
In fact, researchers reported that it took the kit's developer(s) only a day to fit the exploit it, and it has been spotted being used in the wild starting on Sunday, April 21.
In the meantime, Security Explorations CEO Adam Gowdiak reported to Oracle a new Java 0day affecting all versions of Java SE 7, which can be used to achieve a complete Java security sandbox bypass on a target system, but requires user interaction.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.