The Stagefright vulnerability in Android that has been in the news lately was patched on both the Amazon Fire TV and Fire TV Stick via the latest software updates that began rolling out around the middle of last month. The Stagefright bug was publicly announced on July 27th, which means Amazon had prior knowledge of the bug in order to have released their fix a week earlier on July 19th. Google was informed of the Android vulnerability in April, so they likely informed Amazon through private channels before the bug’s public announcement.
An AFTVnews reader, who goes by the incredibly creative username AFTV User, has tested for the vulnerability before and after applying the latest software update. I’ve also run the test myself and can verify that Fire TV’s running software version 18.104.22.168, including those running the pre-rooted ROM, and Fire TV Stick’s running software version 22.214.171.124 are not vulnerable to the Stagefright exploit, while Fire TV devices running older software are vulnerable.
It makes sense now why Amazon released the latest software version so soon after releasing the previous software update. The Stagefright bug allows attackers to remotely execute code and gain system privileges. While this type of vulnerability is not as big of a concern on a set top box as it is on a smartphone which tends to store more sensitive information, it’s nice to see Amazon was quick to respond and patch the security hole.