@gsuberland @moffintosh This seems mostly useful as a persistence option.

It also shouldn't be able to affect a #QubesOS system that hasn't been entirely pwn'd.

It also vindicates my dislike of most image parsers & codec implementation choices, again, even more damningly than libwebp did.

> The results raise a vexing question: If fuzzers identified so many exploitable vulnerabilities, why hadn’t the developers of the UEFIs (often called IBVs or independent BIOS vendors) and the OEMs selling the devices already used these tools and fixed the underlying bugs?
Because they largely don't give a shit. We've known this for a while now.

Literally none of those bugs would work if they'd written the firmware in strict Ada SPARK like they should've for something as security-critical.