BDAqua wrote:
You very likely are far more on top of this than I am, but what if this is a new vector?
Obviously, anything is possible, but it's been over a week since I first heard about this. I spent some time this weekend digging into it and everything I see points to yet another screw-up in the Certification system. I also think we would have read something from the commercial A-V folks about it by now if it was new malware.
It's not at all unusual to run across a bad certificate. I probably see a lot more of them than the average user because I tightened up the settings in KeyChain Preferences->Certificates. It's just that what was routinely accepted by users before Flashback "G", I believe, are now being flagged as suspicious.
Again, if this is the one I think it is I am able to read the text of the Twitter Button JavaScript in my browser without rendering it, but to be on the safe side, issue this Terminal command to download the JavaScript text: curl platform.twitter.com/widgets.js. I'm not fluent in JavaScript so I can't be certain of what it does, but I don't see anything that jumps out at me. I believe this serves to do a couple of things. First, Ghostery considers it to be a tracking script and blocks it out for those who have installed their extension. According to them it appears on 300000 web sites. But it also inserts a button on the c|net toolbar that floats at the bottom of the page with the Twitter bird followed by "Follow @CNET". Presumably if you click the button and are signed up with twitter, you will be signed up to follow CNET.
The certificate popup I got was:
All that being said, I went to the c|net home page just now and no longer get the certificate pop-up, so perhaps it's been fixed.
If the OP could give us all the URL where he's getting this and if the pop-up looks anything like the above, then maybe we could do more, but right now we all seem to be doing a lot of speculation.