Safari 16.6.1

ace · September 22, 2023, 1:46pm

Originally published at: Safari 16.6.1 - TidBITS

Patches a WebKit security vulnerability in Monterey and Big Sur. (Free, various sizes, macOS 11+)

Mark_Nagata · September 22, 2023, 2:05pm

Safari 16.6.1 is for “macOS Big Sur and Monterey.”
On my Mac running macOS Ventura 13.6 (22G120), Safari is still 16.6 (18615.3.12.11.2)

ace · September 22, 2023, 6:34pm

I’m guessing that the main Ventura update made the appropriate changes for WebKit. I’ll be curious to see if the next security update that involves WebKit comes with a Safari update for Monterey and Ventura, or just Monterey.

macguyver · September 23, 2023, 8:15am

It is a little strange to have 3 currently supported macOS versions and the older 2 have the newest version number of Safari.

Safari has been on my personal “ban” list for a some time due to WebKit being so integrated in macOS. It seems dangerously similar to how Internet Explorer was integrated with Windows back in the day. I know they are different animals using different technology, but how many security issues in recent years have been related to WebKit and/or affect not just Safari but multiple apps or parts of macOS?

jzw · September 24, 2023, 6:58pm

Although it seemed egregious for Microsoft to tightly integrate a web browser into Windows back in 2000/2001 (when browsers were ‘just another app’), it now seems inconceivable that an operating system would ship without a web rendering engine being a fundamental framework tightly integrated with the OS. Imagine if every app had to build its own parser or browser engine to display web or HTML content? (And when apps do that – cough, cough, Electron – people rightly complain about how resource intensive and non-native they are.)

In the same way that we expect an OS to provide APIs to allow displaying graphics and video and audio (without building your own decoder or finding a third-party library), a modern OS needs APIs to display web content (both locally or from the network). And this is not something that can be swapped in and out at will, just like you couldn’t swap out QuickDraw in classic Mac OS and can’t swap out Quartz in modern MacOS. So I don’t see how Apple could have a viable modern OS without WebKit (or equivalent) being deeply integrated.

(And security issues in system frameworks is nothing new. A number of iOS vulnerabilities have been related to graphics file decoding.)

macguyver · September 25, 2023, 2:00am

I hear you and don’t disagree technically… It just makes me very uneasy because we are all totally dependent on one secrecy and PR obsessed company (that makes the hardware, OS, software and much of the cloud services) to protect us from abuses of that integration.

The subject of Electron is timely, as the current WebP (libwebp) debacle is ongoing and I keep waiting for the next shoe to drop. I saw some interesting discussions about Electron possibly needing to be totally UN-installed and RE-installed to be fully patched due to some issue with the updater.

Many apps are dependent on Electron… and it is but one example in the WebP case.

Yay technology!

ddmiller · September 25, 2023, 2:37am

Just a reminder that the issue with Microsoft bundling IE in Windows wasn’t that this was necessarily egregious, but that Microsoft was under a consent decree that was supposed to prevent them from including technology for free within their OSes that they once charged for after settling an earlier lawsuit with the FTC. The DOJ argued (successfully) that bundling IE after initially charging for it when Windows 95 was released violated that consent decree.