The latest Java vulnerability is only possible because Oracle didn't properly fix an old one. It's already being used to push ransomware.