Is Safari 17.6 still safe to use in 2025?

They claim that zero-days and drive-bys don't require any manual download/installations, ...

Those claims are technically correct. If taken by themselves and removed from remaining context, they are factually true, however, using such a premise to justify outdated Safari versions are somehow "insecure" and therefore no longer safe to use lacks logical justification. Without citing specific examples of how flaws in an "old" Safari version might be exploited to leverage some previously unseen flaw in its code many years after its release, the claims fall flat.

Apple's fundamental approach to such theoretical attacks is based on the premise that Mac malware is not the product of spontaneous generation. It has to arise from somewhere. That source can be anything from the outside world granted access to your equipment, and a browser is only one such threat vector. The first line of defense is you. It is impossible for anyone to install anything on a Mac unless an authorized user of that Mac explicitly permits it — or — that theoretical someone has physical, hands-on access to the Mac, which opens up a wide variety of potential exploits that go beyond the scope of this subject. That explicit permission extends even to Apple's software updates, since Apple is the sole source of them. Whatever is installed on your Mac is installed because you wanted it installed — and there are limitations to that which I'll explain presently.

The next line of defense is Apple's Gatekeeper. Excerpt, which they italicize for emphasis and I boldfaced to address your specific concern:

"... all software in macOS is checked for known malicious content the first time it’s opened, regardless of how it arrived on the Mac."

That means Safari, direct downloads using curl or some cryptic Terminal command neophyte users might be convinced into typing in themselves, a USB drive you plug into the Mac, a malicious device on your local network (which would also require your permission), an AppleScript that does the same thing... anything. Regardless of how it arrived on the Mac.

The next line of defense is XProtect, for which Apple pushes approximately daily updates to check for and invalidate malware that may have been downloaded and installed, even if its installation occurred in the distant past. XProtect operates independently of Safari or any other app or process that might access the Internet, and its definitions are updated even for Macs a decade and a half old. I just checked; the last one was issued yesterday — for a Mac that has been out of production since 2008. Those Macs are functionally obsolete yet Apple still protects them. For free.

The next line of defense (are you getting tired yet?) is SIP which a user can disable (but shouldn't) that blocks alteration of certain protected areas of the system even if the user explicitly authorized such alteration. Only Apple's software updates and apps obtained from the App Store can alter those areas.

The next line of defense (But wait! There's more!) is the fact macOS itself now exists in a signed, cryptographically sealed read only container completely inaccessible to the user. It's been that way since Catalina, and previously on iOS devices. macOS updates and upgrades directly from Apple's servers supposedly deep in some underground bunker are allowed access, but nothing more.

Part 2 of this longwinded reply follows next.

Part 2

But what if macOS somehow became altered by some paranormal phenomenon or a cosmic ray or some subatomic particle flips a single bit from 0 to 1 and causes the Mac to go rogue? They have an answer for that too. In an extraordinary illustration of Apple's approach to device security, if such an infinitesimally low yet arguably non-zero probability event were to occur for reasons unknown to God or man, the system stops dead in its tracks. Runtime corruption detected, and you're done.

I think I've only scratched the surface, but it ought to be abundantly clear by now Safari is so far down the list of potential threat vectors it pales in comparison to all the others. That's not to dissuade you from using a different browser if you so choose. Some (I don't despise Brave for example) are objectively better at certain things. Others (such as Firefox) are better at customization. Among other options both have been updated for "older" operating systems for much longer than Safari has, for their own reasons. In any event security is not the sole justification for using them in lieu of Safari.

In the end if you remain so concerned that you really want to buy a newer Mac capable of running a newer operating system and commensurately newer version of Safari, Apple certainly won't stand in the way, and neither will I. As a Mac user you just don't have to capitulate to fearmongers or opportunists(💰) asserting that older, outdated Safari versions are going to expose you to attack. Even the latest version of Safari or anything else cannot protect users from themselves, which remains by far the greatest threat to your system security. It's the fundamental point of Effective defenses against malware and other threats - Apple Community, which in its barest form can be summarized by the four words "think before you click".

Lastly, even though it's probably way off topic, browsers in general are going away. They have become overwhelmed with advertisements, they burden systems worldwide with energy-wasting battery-consuming inefficient processes, users are too easily convinced into believing things that aren't true (read Viruses, Trojans, and Worms! Oh My!), resulting in subsequently taking inappropriate actions that separate them from their money. Just like advertisements... are you recognizing a trend here? You have a Mac, therefore you are unspeakably, embarrassingly wealthy, making you ripe target for scam artists all over the world. Congratulations.

No I don't know how many years it will take but eventually we will look back and realize we're not using Safari any more. We'll be using apps to do everything we used to do, and we won't miss Safari one bit.

"Safe" connotes different meanings for different people. It's not the latest version, but even older Safari versions incorporate features unmatched by other browsers even today.

I suggest you familiarize yourself with Apple's Safari Privacy Overview. It is six years old, but no browser comes anywhere close to those privacy-centric features.

The version you are using improved upon the features described in that paper, but they are minor improvements. The security features it introduced included "locked private browsing" and improved IP address tracking prevention. Most other features are not particularly security-centric and involved various user interface and navigation changes that can't even be characterized as "improvements" as much as they are mere visual changes.

To summarize, you are already using the world's most secure browser. Using something else might be newer, but it won't be better — not as far as security is concerned.

And you will note I did not use the word "safe" because it is so commonly misused for cowing people into doing things that are ill-advised or counter to their own personal interests.

Effective defenses against malware and other threats - Apple Community addresses those specific concerns.

Security is a broad subject that goes well beyond mere browsers.

As for "malware and viruses" is an error to conflate those terms, and you will only confuse yourself by doing so. To unconfuse matters I highly recommend reading Kurt Lang's User Tip What is malware? - Apple Community so that you do not become deceived by opportunists seeking to exploit gullible people into taking inappropriate actions — even if those inappropriate actions are as innocuous as convincing you to spend money needlessly.

Strictly from a browser perspective, I use both Brave and Firefox as occasional alternatives. Each one has its own particular advantages and disadvantages. The obvious disadvantage is a lack of system-wide integration with the entire Apple product line; a convenience that obviously no third party product can offer. Both are more customizable than Safari, with the caveat that you accept full responsibility for the effects of such modifications.

Safari imposes strict limits on the ability to circumvent certain device security aspects Apple considers essential, which can frustrate users who prefer to decide for themselves.

As I alluded to earlier, an answer depends on your definition of "safe". Apple provides security updates for all their products for various reasons, most of which have nothing to do with safe computing practices.

Who or what is attempting to do that?

There are plenty of self-serving opportunists attempting to convince people of all sorts of things.

If you have been convinced already then that was your decision to make. Obviously lots of people decide upon things based on claims and assertions that are less than factual, but you don't have to be one of them.

Firstly, thank you John Galt for writing your expanded thoughts on the subject. I say expanded because you answered a similar question I had previously asked of you.

Secondly, regarding Bloxinator49 's question–"Why do you advise against the use of profiles to separate our workflow?" I think s/he could've wrongly (easily done, not a criticism) conflated the Safari feature Profiles with the cautionary advice you gave in your user-tip–Effective defenses against malware and other threats–about the macOS extension feature Profile.

Regardless, thanks again.