In my opinion:
The Windows environment Java Exploit describe by DHS can be Contained in kind of a "walled garden" using “Symantec Endpoint Protection's” "Application and device control" policy feature.
This is done by first building an execute rule around the JRE exe's and Dll's, basically telling JRE it cannot execute any applications out side its own Shell or you can specify exactly what apps it can spawn/compile and from where!,
Next building a file/folder write restriction policy that says where & what JRE can write to the disk, registry & memory.
Now write a rule that explicitly states what applications can spawn the JRE.
This a bit Over simplified but seems to work in other application senarios we used it to mitigate. I love it.