Last week I wrote about how Amazon patched the Stagefright vulnerability with the Fire TV 188.8.131.52 and Fire TV Stick 184.108.40.206 software updates. It now appears that Amazon, Google, and the security firm which first discovered the Stagefright vulnerability have all missed an additional library which contains the Stagefright vulnerability. The latest Fire TV software version, 220.127.116.11, and the latest Fire TV Stick software version, 18.104.22.168, both contain this newly discovered unpatched library. Meaning, all Fire TVs and Fire TV sticks are still vulnerable to the Stagefright bug, regardless of which software version they are currently on.
The Stagefright bug leaves Android devices, including the Fire TV and Fire TV Stick, vulnerable to attacks from malicious code that can be used to gain control of an unpatched device. This bug is of particular interest to the Fire TV modding community due to it’s potential use as a avenue for rooting, which has already been demonstrated on some Android devices. Since the Fire TV has been unrootable since the 22.214.171.124 software update, and the Fire TV Stick has never been rootable, there is hope that a new rooting method will be released using the Stagefright bug.
A security firm by the name of Exodus Intelligence has discovered that the initial patches released to fix the Stagefright bug have not been thorough enough and have left one vulnerable software library found in Android and on Fire TV devices. Zimperium, the security firm that original discovered the Stagefright vulnerability, has updated their detector app to now also check for the Stagefright bug in the previously unknown library. I have run tests with the newly updated detector app and can confirm that it reports all version of the Fire TV and Fire TV Stick software, including the latest 126.96.36.199 and 188.8.131.52 versions, are vulnerable to at least one of the Stagefright libraries.
I suspect that Amazon will be releasing a new software update very soon that patches the last remaining Stagefright vulnerable library. If you are interested in rooting your Fire TV or Fire TV Stick, you should block software updates and remain on software version 184.108.40.206 or older for the Fire TV and remain on software version 220.127.116.11 or older for the Fire TV Stick. It is still unknown if a rooting method using the Stagefright bug will be released for Fire TV devices, but rooting enthusiasts should hold tight on whatever software version they currently have installed if they’re hoping to root their device.
That leaves me with only 1 question. Would it be more beneficial to be on 18.104.22.168 with more of the unpatched libraries? Or is the potential of rooting just as great on 22.214.171.124 as it is on 126.96.36.199? Sorry for wording the same thing multiple times. Just want to be sure I asked correctly.
It’s always best to stay on the oldest version possible, even if it seems there’s no difference between two versions. This is because there could always be things we don’t know yet about the newer versions.
Can you revisit the blocking page? The comments seem to say it doesn’t work.
Blocking the URLs on that page via your router still works. I use it myself.
Is there a way to block the bug for a rooted fire tv?
What are the chances of the stick finally being rootable using Stagefright? Have any other media devices running Android get rooted using Stagefright? I may buy a stick and leave in the box until rootable versus waiting until it’s rootable and all new sticks will come from the factory already patched.
Are new sticks without the partial Stagefright patch still available in stores or from Amazon? How can I check it without buying and opening it?