If you’ve decided not to make the move to macOS Sierra, you can still update to Safari 10 on your Mac running OS X El Capitan or Yosemite, and experience most of the new browser’s features.
Safari 10 for El Capitan and Yosemite does not offer features such as the Sierra-only picture-in-picture support for video, and Apple Pay on the web, but it does include the following new features:
- Safari Extensions
- New Bookmarks sidebar, including double-click to focus in on a folder
- Revamped Bookmarks and History views
- Site-specific zoom: Safari remembers and re-applies your zoom level to websites
- Improved AutoFill from Contacts
- Reader improvements, including in-line sub-headlines, bylines, and publish dates
- Legacy plug-ins are turned off by default in favor of HTML5 versions of websites
- Allow reopening of recently closed tabs through the History menu, holding the “+” button in the tab bar, and using Shift-Command-T
- When a link opens in a new tab, you can now click the back button or swipe to close it and go back to the original tab
- Improved ranking of Frequently Visited Sites
- Web Inspector Timelines Tab
- Debugging using Web Inspector
The updated browser also offers a number of security updates, such as a fix for a number of WebKit vulnerabilities, and offers fixes for issues related to Safari Tabs and Reader.
Safari Reader
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through improved input sanitization.
CVE-2016-4618: an anonymous researcher
Safari Tabs
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management.
CVE-2016-4751: Daniel Chatfield of Monzo Bank
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation.
CVE-2016-4728: Daniel Divricean
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.
CVE-2016-4758: Masato Kinugawa of Cure53
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4611: Apple
CVE-2016-4729: Apple
CVE-2016-4730: Apple
CVE-2016-4731: Apple
CVE-2016-4734: Natalie Silvanovich of Google Project Zero
CVE-2016-4735: André Bargull
CVE-2016-4737: Apple
CVE-2016-4759: Tongbo Luo of Palo Alto Networks
CVE-2016-4762: Zheng Huang of Baidu Security Lab
CVE-2016-4766: Apple
CVE-2016-4767: Apple
CVE-2016-4768: Anonymous working with Trend Micro’s Zero Day Initiative
CVE-2016-4769: Tongbo Luo of Palo Alto Networks
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: A malicious website may be able to access non-HTTP services
Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.
CVE-2016-4760: Jordan Milne
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2016-4733: Natalie Silvanovich of Google Project Zero
CVE-2016-4765: Apple
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS
Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation.
CVE-2016-4763: an anonymous researcher
(Via MacRumors)