Hynek Schlawack

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions 10.9.2 and earlier **Description** The issue allows remote attackers to bypass extra verification within a custom application via a crafted certificate chain that is acceptable to the Trust Evaluation Agent (TEA) feature but not acceptable to that application. This is due to the Apple patch for OpenSSL not terminating certain TLS/SSL handshakes as specified in the SSL CTX set verify callback function's documentation. **Recommendations** For Apple OS X versions 10.9.2 and earlier, consider updating to a newer version that includes the fix for this issue. As a temporary workaround, consider restricting the use of the TEA feature in custom applications to minimize the risk of exploitation.