(I don’t know how Sparkle operates; if it only does the extraction after signature validation I guess an attack would be pretty hard to pull off even if you have a zero day in the archive decompressor.)

Step 1: find zero day vulnerability in obscure archive format
Step 2: add said archive format to the most popular 3rd party macOS software update framework
Step 3: ???

Add support for extracting Apple Archives (.aar files) by zorgiepoo · Pull Request #2586 · sparkle-project/Sparkle

Useful things I own, part 82768492

Voted in a building with this weird structure in it

Also this one

Cleaning day at the office. Found this old beauty.

macOS 14.5 was just released with literally zero changes communicated to the end user?

“Let’s put Android on this projector” they said “It’ll be great with all those apps” they said

Our product deleted some “malware” in Proxygen’s container when I downloaded it in my VM - it still got delivered through the proxy so all is good, I was just surprised it landed on disk at all :-) /cc @pasi@mastodon.social