You can add code to fail validation if this specific intermediate certificate is in the trust chain, but there's no way to ban intermediate certificates with the X.509 trust model without removing the root from the CA store.
Firefox/Chrome already do some extra validation to ban SHA1 certs issued past a specific date, they'd just need to blacklist the fingerprint of the intermediate CA.
