The Mac security experts at Intego report that Apple has silently bundled Safari 5.1.8 with the Snow Leopard implementation of its Security Update 2013-001. The Cupertino giant had already confirmed a Safari update for users of its Mountain Lion OS.The Austin, Texas-based security company reports that Apple left Safari unpatched on Snow Leopard at version 5.1.7 almost a year ago.
The vulnerabilities have been patched in Safari for Lion and Mountain Lion. However, Snow Leopard users remained unprotected for almost a year.
Then (last week), Apple rolled out Security Update 2013-001 with a nice Easter egg inside.
“Strangely, Apple has not released any details whatsoever about this update on its Apple security updates page,” Joshua Long reports for Intego.
“There was no mention of Safari 5.1.8 in the Security Update 2013-001 article or in the Safari 6.0.3 article, and there was no separate article mentioning Safari 5.1.8 either,” Long adds.
Intego thus concludes that the 201 vulnerabilities patched between Safari 6.0 and 6.0.3 could well have remained unpatched in Safari 5.1.8.
And it doesn’t get any better on the Windows front either, Intego reveals.
“Meanwhile, Apple continues to leave users of Safari for Windows out in the cold. There is no update available via the Apple Software Update application on Windows—nor is there any warning that the outdated version 5.1.7 contains numerous vulnerabilities that make it unsafe to use,” Joshua Long continues.
The firm believes “Apple is in desperate need of a consistent policy regarding security updates for its software.”
Intego points to Microsoft as a good example of how security threats should be handled, noting the Redmond company’s “clear support lifecycle policy that includes publicly disclosed deadlines for each product.”
Apple, on the other hand, “seems to release updates for older versions of its software inconsistently, as evidenced by the disturbing 10-month gap in between Safari 5.1.7 and Safari 5.1.8 for Snow Leopard,” Long concludes.