My guess would be that Java continues to run an unpatched copy of MSCOMCTL.OCX. If you look at the CVE-2012-0158 patches[0] you'll notice that Microsoft had to patch a lot of software individually, I guess Java just was never fixed.
So it is a Java issue only in the sense that Oracle needs to update it. Obviously the original "bad code" was from Microsoft.
Isn't the "Malicious Software Removal Tool" from Microsoft supposed to scan for such things? Obviously it isn't a full-fledged virus scanner, but I would expect scanning the system for outdated DLLs and such to be well within its reach.
So it is a Java issue only in the sense that Oracle needs to update it. Obviously the original "bad code" was from Microsoft.
[0] https://technet.microsoft.com/en-us/library/security/ms12-02... [1] https://community.emc.com/community/connect/rsaxchange/netwi...