Apple Shocks Security World with Safari 5.1.8 for Snow Leopard

Posted on by

Apple has a strange and inconsistent policy on security updates for Snow Leopard (aka Mac OS X v10.6.8), the now two generations old version of its OS X desktop operating system.

As I mentioned last year, Apple seemed to have stopped releasing security updates for Safari 5.1, the final major release of Safari for Snow Leopard and Windows.

Safari 6.0 was only available for Lion and Mountain Lion (OS X v10.7 and v10.8, respectively), and it patched a number of security vulnerabilities that had existed in Safari 5.1.7. Since then Apple released 6.0.1, 6.0.2, and then 6.0.3 this past week. Just over 200 vulnerabilities have been patched beginning with Safari 6.0 that apparently never made it into a Safari 5.1 update.

This past week, Apple finally (and very silently) bundled Safari 5.1.8 with the Snow Leopard version of Security Update 2013-001.

Safari 5.1.8 Screenshot

Strangely, Apple has not released any details whatsoever about this update on its Apple security updates page. There was no mention of Safari 5.1.8 in the Security Update 2013-001 article or in the Safari 6.0.3 article, and there was no separate article mentioning Safari 5.1.8 either. Thus it is unknown whether the 201 vulnerabilities patched between Safari 6.0 and 6.0.3 have also been patched in 5.1.8.

Meanwhile, Apple continues to leave users of Safari for Windows out in the cold. There is no update available via the Apple Software Update application on Windows—nor is there any warning that the outdated version 5.1.7 contains numerous vulnerabilities that make it unsafe to use.

No Safari 5.1.8 for Windows

Still no Safari updates for you, Windows users!

Apple is in desperate need of a consistent policy regarding security updates for its software. While Microsoft has a clear support lifecycle policy that includes publicly disclosed deadlines for each product, Apple seems to release updates for older versions of its software inconsistently, as evidenced by the disturbing 10-month gap in between Safari 5.1.7 and Safari 5.1.8 for Snow Leopard.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →