There's apparently another security bug in Java.
Depending on what you're working with, you may be able to download and invoke the application outside of the browser — such as can be done with Minecraft — or you can both enable the Java JVM plug-in within the browser and also disable the version-check defenses in Xprotect (see the comments here for details) that are blocking the Java webstart stuff (again), if you need to run that stuff from the web browser.
Otherwise, Oracle will likely be providing an update to block the most recent attacks.
There are two other potential wrinkles here, where the Java JVM web plug-in disables itself after some interval of non-use, and there are also diagnostics issued when launching an app that isn't signed by a developer ID from Apple. Java checks for its own signatures, and Apple checks for its signatures, and the Java apps aren't signed with the Apple keys.