Where are the Safari security updates for Windows and Snow Leopard? Users left exposed

Filed Under: Apple, Vulnerability

No Safari security updates for Windows or Snow LeopardLast week, Apple released a new version of its Mac operating system, OS X Mountain Lion. One of Mountain Lion's new features is Safari 6, which adds new features including the ability to enable Do Not Track from the main Preferences window.

Apple also released Safari 6.0 for Lion, the previous version of Mac OS X.

According to Apple's page detailing the security content of this update, Safari 6.0 contains fixes for a whopping 121 vulnerabilities.

Last year on Lion's release date, Apple released Safari 5.1 for Snow Leopard and Windows to bring them up to par with Lion's new version of Safari. On the same day, Apple also released Safari 5.0.6, a security-only update, for Mac OS X Leopard, which was then two OS versions old.

So given Apple's history, and given that Safari 6 included such an extremely high number of critical security updates, one might expect Apple to release updates for Windows and Snow Leopard too - right?

Wrong.

Unfortunately, Apple did not release security updates for Safari for either Snow Leopard or Windows to coincide with the release of Safari 6.0.

No updates available

While it may seem plausible that Apple could be waiting to release security-only updates at a later date, Apple dropped a major hint that this is unlikely, at least as far as the Windows version is concerned.

Apple now redirects www.apple.com/safari/download - the former download address from which the current Windows version could be obtained - to the main Safari page.

And on that webpage, the fine print states,

"The latest version of Safari is available in Mountain Lion. The latest version of Safari for Lion is available through Software Update."

There's no mention of Windows or Snow Leopard.

Frustratingly, there's no warning in either the browser itself or Apple Software Update on either platform that Safari likely won't be updated. Users have no way of knowing that their browser has at least 121 unpatched vulnerabilities and is no longer safe to use.

No software update for Safari from Apple

This, of course, leaves Safari users on those platforms more vulnerable to attack.

It seems that many users who haven't upgraded to Lion or Mountain Lion won't know any better and will continue using Safari unaware of the risks.

Safari logoThe burden of informing those Safari users should really fall on Apple.

Last Wednesday I reached out to Apple for comment about Safari for Windows and Snow Leopard. So far I have not received a response.

I also inquired of Apple back in February whether any security updates would be released for Snow Leopard after the release of Mountain Lion. Again, Apple didn't respond.

Unfortunately for Apple, ignoring security issues that affect a large percentage of users does not make the security issues disappear.

, , , , , , , ,

11 Responses to Where are the Safari security updates for Windows and Snow Leopard? Users left exposed

  1. This is typical of Apple and I'm not entirely surprised. Though why would anyone want to use Safari on a Windows (and even OSX) machine when you have far better choices than Safari ?

    Admittedly I've temporarily dumped Chrome for IE10 on my Win8 machines, but that's more for my own personal testing to see how well it performs now and when the final release of Win8 comes out and just getting to know it, it's not great and a lot like IE9, but does at least roams my Favourites, which is key for me.

  2. Andrew says:

    It's typical of Apple to be way behind on patching. They are vulnerable to the latest Linux threats that have been patched as they keep behind the releases.

  3. Last week I noticed the lack of Safari update for Windows, thankfully I use Chrome as my default browser!

  4. P.O. says:

    Joshua -It is worse than that...if you erase/clean install SL, the 5.1 Safari update is now gone! You are stuck with 5.0.5 from the combo OS update.

  5. Joshua Long says:

    The last paragraph refers to part of the article that Sophos edited out.

    Among other things, the original unedited article pointed out that over 38% of the current Mac installed base uses Snow Leopard, as compared to Lion's 46%.

    That's part of what makes this such a big deal. It's not like Apple's just ceasing updates for a small, insignificant number of users. This is a huge portion of Apple customers.

    I plan to publish the deleted parts of this article elsewhere, along with a related article. If you're interested, you can follow me on Twitter and I'll tweet a link when the rest is published. Just click the "Follow @theJoshMeister" button at the bottom of the article (above the comments).

  6. Paul says:

    Apple's silence on this issue is deafening... they're not supporting their own bundled web browser on an operating system they released less than three years ago!

    • JimboC says:

      I totally agree with Paul and Joshua. It is a disgrace that Apple cut off security updates to what you and I deem quite modern OSes. I agree 3 years is not old!

      Microsoft gets a lot of flak but at least they support their OSes for longer. Windows XP will be supported until 2014, almost 13 years after its release. That’s probably a little too long but their standard support of 10 years from a product release I believe is outstanding. Apple should also follow this convention (or at least move up to 5 years support).

      This cut off of updates is one just one reason why I choose not to be a fan of Apple products, they simply think that everyone has the disposable income to simply dump their devices every 2 to 3 years in favor of those new shiny ones. That’s an ideal world Apple live in. Not to mention the environmental consequences of everyone simply disposing of old devices. Not everyone is going to take the time to bring them to the appropriate recycling center like you or I.

      If Safari for Windows is no longer going to be updated, it should also be removed from the Microsoft Browser Choice Update for European users. Having an insecure browser as a choice in that update is not a good idea.

      Finally, I would like to know how many people have Safari installed given that it used to be installed by default when installing updates using Apple Software Update (when installed on Windows)? (unless you un-ticked the box to install Safari every time you performed a check for updates). Many, many people now have an insecure browser installed and that is no longer going to be patched.

      Apple really need to look again at their stance towards online security and to make improvements.

      I think Paul H. (below) is correct, uninstalling it is the best course of action right now (just like any software that you no longer need or want to use).

  7. Paul.H says:

    I've just uninstalled Safari and won't be going back to it ever.

    Problem solved.

  8. Brian says:

    This nothing new for an OS developer to do. Take winndows xp for example, when IE9 rolled out only Vista and 7 OS users could use it. So I think Apple and Microsoft have a thing or two to learn about protecting their customers. Another way to keep an up to date browser is to download one of the many third party browsers. Which are in my experience better than any stock OS browser.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and is currently earning his Ph.D. specializing in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog security.thejoshmeister.com, and follow him on Twitter and Google+.