Apple has a strange and inconsistent policy on security updates for Snow Leopard (aka Mac OS X v10.6.8), the now two generations old version of its OS X desktop operating system.
As I mentioned last year, Apple seemed to have stopped releasing security updates for Safari 5.1, the final major release of Safari for Snow Leopard and Windows.
Safari 6.0 was only available for Lion and Mountain Lion (OS X v10.7 and v10.8, respectively), and it patched a number of security vulnerabilities that had existed in Safari 5.1.7. Since then Apple released 6.0.1, 6.0.2, and then 6.0.3 this past week. Just over 200 vulnerabilities have been patched beginning with Safari 6.0 that apparently never made it into a Safari 5.1 update.
This past week, Apple finally (and very silently) bundled Safari 5.1.8 with the Snow Leopard version of Security Update 2013-001.
Strangely, Apple has not released any details whatsoever about this update on its Apple security updates page. There was no mention of Safari 5.1.8 in the Security Update 2013-001 article or in the Safari 6.0.3 article, and there was no separate article mentioning Safari 5.1.8 either. Thus it is unknown whether the 201 vulnerabilities patched between Safari 6.0 and 6.0.3 have also been patched in 5.1.8.
Meanwhile, Apple continues to leave users of Safari for Windows out in the cold. There is no update available via the Apple Software Update application on Windows—nor is there any warning that the outdated version 5.1.7 contains numerous vulnerabilities that make it unsafe to use.
Apple is in desperate need of a consistent policy regarding security updates for its software. While Microsoft has a clear support lifecycle policy that includes publicly disclosed deadlines for each product, Apple seems to release updates for older versions of its software inconsistently, as evidenced by the disturbing 10-month gap in between Safari 5.1.7 and Safari 5.1.8 for Snow Leopard.