CVE-2011-3422

Name of the Vulnerable Software and Affected Versions Apple Mac OS X versions 10.6.8 and earlier

Description The issue arises from the Keychain implementation not properly handling an untrusted attribute of a Certification Authority certificate. This makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via an Extended Validation certificate. For example, this could be demonstrated by accessing a website via HTTPS with Safari.

Recommendations For Apple Mac OS X versions 10.6.8 and earlier, consider updating to a newer version to mitigate the risk of man-in-the-middle attacks. As a temporary workaround, restrict access to untrusted Certification Authority certificates to minimize the risk of exploitation.