>And second, I do not visit untrustworthy websites; my Safaris do not take me into the lawless areas of the web, so I do not consider myself sufficiently at risk to need to downgrade my computing experience in order to upgrade my security.
Just as a side note, unrelated to the issue of whether or not modern Safari versions are lacking or security updates are important:
It used to be that most computer malware was spread through phony porn sites, and it was once true that by staying away from the "lawless areas of the internet" you were in fact a lot safer.
Today, this is no longer the case. The vast majority of malware is served up from big-name, reputable sites. The New York Times, Travelocity, Delta.com, Expedia, MSN, and other sites have ended up dishing out computer viruses and malware in the last year.
There are three ways this happens:
1. Organized crime gangs set up fake businesses, sometimes even with business licenses and the whole nine yards. They set up Web sites for these phony businesses, then buy banner ads from legitimate banner ad companies like Doubleclick. These ads are Flash, and contain hidden payloads; they usually go to the phony business site, but are rigged so that occasionally, or after a certain time, they start silently redirecting to malware sites instead. The malware sites attempt to use a cocktail of browser and Flash exploits to download malware.
2. Organized crime gangs probe large, popular, top-name Web sites searching for security vulnerabilities such as SQL injection vulnerabilities or the like. Surprisingly in this day and age, a lot of big-name Web companies that should know better, sometimes even including companies like credit card processors, do not have security auditing teams within the company and don't have programs in place to look for this sort of error. All it takes is one Web programmer making one trivial mistake. When the criminals find a vulnerability, they hack the site and place invisible, silent redirectors, or JavaScript or iFrame code, into the site. The site then attempts to silently download malware on anyone who visits it using various browser and plug-in vulnerabilities.
3. Organized crime gangs troll large, big-name Internet sites looking for user forums, customer service forums, and the like. They then register and create profiles on those forums. Some forum software allows users to type JavaScript, ASP code, or other forms of content into a profile or a user page, which is suicidally insane; it's hard to imagine that forum programmers are dumb enough to allow this, but they do. The criminals will then place hostile ASP or JavaScript code into the user profile that attempts to silently download and install malware. Then they seed the profile with popular Google keywords and attempt to lure people doing popular Google keyword searches to these rigged profiles. For example, in the last few weeks, these gangs have used Google keywords like "haiti earthquake" or "donate haiti charity" to lure users to rigged profiles that either redirect to malware sites or try to install malware directly.
So far, I have not seen Mac malware distributed using technique #1 or #2. I
have seen Mac malware, specifically the DNSchanger Trojan, distributed using technique #3. In fact, there is an Intuit (the accounting software company) official online forum that has been compromised and is being used to spread malware to visitors, and is also using rigged Google keywords to lure visitors to booby-trapped profiles. I
wrote an article about the Intuit hack recently, in fact.
So thinking that you're safe if you keep to the "right" part of the internet is actually a dangerous fallacy, I'm afraid.
