Oracle's got nothing to do with the failure of the Java applet sandbox. The problem with the applet sandbox is simple: it was designed before anybody really understood modern secure C programming --- integer handling, memory lifecycle, concurrency.
The major browser projects all host a very similar attack surface --- a programming language with content/attacker- controlled code hooked up to a whole bunch of crazy bells and whistles. The browsers barely, just barely, have a handle on that attack surface. And the modern browsers have all rearchitected in the last 5 years specifically to address the problem, which is something the Java applet maintainers have not done. Who in the world is surprised that doubling the browser attack surface creates problems?
It's long past time we put Java applets out to pasture.
The major browser projects all host a very similar attack surface --- a programming language with content/attacker- controlled code hooked up to a whole bunch of crazy bells and whistles. The browsers barely, just barely, have a handle on that attack surface. And the modern browsers have all rearchitected in the last 5 years specifically to address the problem, which is something the Java applet maintainers have not done. Who in the world is surprised that doubling the browser attack surface creates problems?
It's long past time we put Java applets out to pasture.