Apple Releases Safari 10 for OS X El Capitan and OS X Yosemite

Apple Releases Safari 10 for OS X El Capitan and OS X Yosemite

If you’ve decided not to make the move to macOS Sierra, you can still update to Safari 10 on your Mac running OS X El Capitan or Yosemite, and experience most of the new browser’s features.

Apple Releases Safari 10 for OS X El Capitan and OS X Yosemite

Safari 10 for El Capitan and Yosemite does not offer features such as the Sierra-only picture-in-picture support for video, and Apple Pay on the web, but it does include the following new features:

  • Safari Extensions
  • New Bookmarks sidebar, including double-click to focus in on a folder
  • Revamped Bookmarks and History views
  • Site-specific zoom: Safari remembers and re-applies your zoom level to websites
  • Improved AutoFill from Contacts
  • Reader improvements, including in-line sub-headlines, bylines, and publish dates
  • Legacy plug-ins are turned off by default in favor of HTML5 versions of websites
  • Allow reopening of recently closed tabs through the History menu, holding the “+” button in the tab bar, and using Shift-Command-T
  • When a link opens in a new tab, you can now click the back button or swipe to close it and go back to the original tab
  • Improved ranking of Frequently Visited Sites
  • Web Inspector Timelines Tab
  • Debugging using Web Inspector

The updated browser also offers a number of security updates, such as a fix for a number of WebKit vulnerabilities, and offers fixes for issues related to Safari Tabs and Reader.

Safari Reader

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting

Description: Multiple validation issues were addressed through improved input sanitization.

CVE-2016-4618: an anonymous researcher

Safari Tabs

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management.

CVE-2016-4751: Daniel Chatfield of Monzo Bank

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation.

CVE-2016-4728: Daniel Divricean

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.

CVE-2016-4758: Masato Kinugawa of Cure53

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4611: Apple

CVE-2016-4729: Apple

CVE-2016-4730: Apple

CVE-2016-4731: Apple

CVE-2016-4734: Natalie Silvanovich of Google Project Zero

CVE-2016-4735: André Bargull

CVE-2016-4737: Apple

CVE-2016-4759: Tongbo Luo of Palo Alto Networks

CVE-2016-4762: Zheng Huang of Baidu Security Lab

CVE-2016-4766: Apple

CVE-2016-4767: Apple

CVE-2016-4768: Anonymous working with Trend Micro’s Zero Day Initiative

CVE-2016-4769: Tongbo Luo of Palo Alto Networks

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: A malicious website may be able to access non-HTTP services

Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.

CVE-2016-4760: Jordan Milne

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved state management.

CVE-2016-4733: Natalie Silvanovich of Google Project Zero

CVE-2016-4765: Apple

WebKit

Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6

Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS

Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation.

CVE-2016-4763: an anonymous researcher

(Via MacRumors)