Most drive-by exploit kits use a minimal exploit shellcode that downloads and runs the final payload.
If you are still using Java, you insist on updating in manually and you haven't gotten around to installing the latest Critical Patch Update released a week ago, you are advised to do it now, as an exploit for one of the vulnerabilities it patched has been incorporated into a popular exploit kit and is being actively used in the wild.
Oracle’s Java SE Critical Patch Update for April 2013 contains 19 CVEs with CVSS base score of 10 (the highest you can go) indicating that exploiting the vulnerability is not particularly challenging and could give complete control of compromised systems.
I believe that most infosec professionals have, at one time or other, wished they could fight back when some of the resources they are tasked with protecting came under attack by hackers.
Making good on their promise, Security Exploration has published technical details about a Java issue that they consider to be a security vulnerability, but Oracle has categorized as demonstrating "allowed behavior".
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.