Apple has released Safari 16.6.1 for macOS 12 Monterey and macOS 11 Big Sur to fix a WebKit vulnerability addressed in other recent updates (see “OS Security Updates Address Three More Exploited Vulnerabilities,” 21 September 2023). We recommend updating soon via Software Update. (Free, release notes, macOS 11+)
Subscribe today so you don’t miss any TidBITS articles!
Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.
Registration confirmation will be emailed to you.
This site is protected by reCAPTCHA. The Google
Privacy Policy and
Terms of Service apply.
Safari 16.6.1 is for “macOS Big Sur and Monterey.”
On my Mac running macOS Ventura 13.6 (22G120), Safari is still 16.6 (18615.3.12.11.2)
I’m guessing that the main Ventura update made the appropriate changes for WebKit. I’ll be curious to see if the next security update that involves WebKit comes with a Safari update for Monterey and Ventura, or just Monterey.
It is a little strange to have 3 currently supported macOS versions and the older 2 have the newest version number of Safari.
Safari has been on my personal “ban” list for a some time due to WebKit being so integrated in macOS. It seems dangerously similar to how Internet Explorer was integrated with Windows back in the day. I know they are different animals using different technology, but how many security issues in recent years have been related to WebKit and/or affect not just Safari but multiple apps or parts of macOS?
Although it seemed egregious for Microsoft to tightly integrate a web browser into Windows back in 2000/2001 (when browsers were ‘just another app’), it now seems inconceivable that an operating system would ship without a web rendering engine being a fundamental framework tightly integrated with the OS. Imagine if every app had to build its own parser or browser engine to display web or HTML content? (And when apps do that – cough, cough, Electron – people rightly complain about how resource intensive and non-native they are.)
In the same way that we expect an OS to provide APIs to allow displaying graphics and video and audio (without building your own decoder or finding a third-party library), a modern OS needs APIs to display web content (both locally or from the network). And this is not something that can be swapped in and out at will, just like you couldn’t swap out QuickDraw in classic Mac OS and can’t swap out Quartz in modern MacOS. So I don’t see how Apple could have a viable modern OS without WebKit (or equivalent) being deeply integrated.
(And security issues in system frameworks is nothing new. A number of iOS vulnerabilities have been related to graphics file decoding.)
I hear you and don’t disagree technically… It just makes me very uneasy because we are all totally dependent on one secrecy and PR obsessed company (that makes the hardware, OS, software and much of the cloud services) to protect us from abuses of that integration.
The subject of Electron is timely, as the current WebP (libwebp) debacle is ongoing and I keep waiting for the next shoe to drop. I saw some interesting discussions about Electron possibly needing to be totally UN-installed and RE-installed to be fully patched due to some issue with the updater.
Many apps are dependent on Electron… and it is but one example in the WebP case.
Yay technology!
Just a reminder that the issue with Microsoft bundling IE in Windows wasn’t that this was necessarily egregious, but that Microsoft was under a consent decree that was supposed to prevent them from including technology for free within their OSes that they once charged for after settling an earlier lawsuit with the FTC. The DOJ argued (successfully) that bundling IE after initially charging for it when Windows 95 was released violated that consent decree.