Last week I wrote about how Amazon patched the Stagefright vulnerability with the Fire TV 18.104.22.168 and Fire TV Stick 22.214.171.124 software updates. It now appears that Amazon, Google, and the security firm which first discovered the Stagefright vulnerability have all missed an additional library which contains the Stagefright vulnerability. The latest Fire TV software version, 126.96.36.199, and the latest Fire TV Stick software version, 188.8.131.52, both contain this newly discovered unpatched library. Meaning, all Fire TVs and Fire TV sticks are still vulnerable to the Stagefright bug, regardless of which software version they are currently on.
The Stagefright bug leaves Android devices, including the Fire TV and Fire TV Stick, vulnerable to attacks from malicious code that can be used to gain control of an unpatched device. This bug is of particular interest to the Fire TV modding community due to it’s potential use as a avenue for rooting, which has already been demonstrated on some Android devices. Since the Fire TV has been unrootable since the 184.108.40.206 software update, and the Fire TV Stick has never been rootable, there is hope that a new rooting method will be released using the Stagefright bug.
A security firm by the name of Exodus Intelligence has discovered that the initial patches released to fix the Stagefright bug have not been thorough enough and have left one vulnerable software library found in Android and on Fire TV devices. Zimperium, the security firm that original discovered the Stagefright vulnerability, has updated their detector app to now also check for the Stagefright bug in the previously unknown library. I have run tests with the newly updated detector app and can confirm that it reports all version of the Fire TV and Fire TV Stick software, including the latest 220.127.116.11 and 18.104.22.168 versions, are vulnerable to at least one of the Stagefright libraries.
I suspect that Amazon will be releasing a new software update very soon that patches the last remaining Stagefright vulnerable library. If you are interested in rooting your Fire TV or Fire TV Stick, you should block software updates and remain on software version 22.214.171.124 or older for the Fire TV and remain on software version 126.96.36.199 or older for the Fire TV Stick. It is still unknown if a rooting method using the Stagefright bug will be released for Fire TV devices, but rooting enthusiasts should hold tight on whatever software version they currently have installed if they’re hoping to root their device.