Why is Safari considered to be insecure?

[astrostl]

"osxlockdown was built to audit, and remediate, security configuration settings on OS X"

As per commands.json, "I 'secure' safari by removing javascript and PDF support. Advanced users won't use Safari anyway and novices will be persuaded to use Chrome or Firefox"

What is insecure about Safari? I'd note that, unlike third-party browsers, updates to it are applied along with general system updates, which are automatically enabled by osxlockdown itself. If I'm using Firefox or Chrome, the app needs to run to update, meaning there's a necessary out-of-date window.

Your project, your rules. I do consider myself an "advanced" user, though, and I use Safari :P

[0xdabbad00]

I just added a section to the readme for this. Basically, I use Chrome, but I actually use the same crippling on Chrome as I've set here on Safari. I enable javascript on a per site basis and open PDFs in a separate Chrome profile as needed. However, I do believe Chrome is more secure, as the Chrome team develops most of the major features used in Safari anyway, and further the Chrome team has been more active in finding security concerns, such as when Diginotar was being used to MiTM people.

[astrostl]

As far as development goes, I think they're totally separate now, FWIW: Apple forked KHTML to make WebKit, and Google somewhat recently forked WebKit to make Blink. For privacy reasons, which I closely associate with security, I won't touch Chrome. Preferences vary :)

[sroberts]

The following article might help Surprise! Flash Is Not 2015's Most Vulnerable Software. In short Chrome has a much better security model, things process isolation, and overall much more investment by the Chrome Security team. Not using Safari is one of the first things I recommend to new Mac users.

[astrostl]

That article is a vendor ranking, not a product one. From the same data source, we can see at http://www.cvedetails.com/top-50-product-cvssscore-distribution.php that Safari (including iOS) has about half as many total vulnerabilities as Chrome, and a slightly lower average severity. Firefox, for its part, has a similar number of vulnerabilities as Chrome and a slightly higher average severity.

I'm not arguing that any browser is especially more or less secure, and the data appears to support that view. I would argue, though, that "advanced" users (ahem) do use Safari, and that both Safari and Firefox have objectively superior privacy positions. I just found it strange that Safari seemed to be singled out, but as the creator has now clarified, he does the same thing to his own Chrome browser. No sweat.

[0xdabbad00]

I am also considering if and how I should expand this to common apps, specifically firefox and chrome, and ensuring Adobe Reader is not installed. The Safari check and modification just happened to be in one of the guides I looked at.