Exploiting ActionScript3 interpreter

Wednesday 3 October 11:30 - 12:00, Red room

Boris Larin (Kaspersky Lab)
Anton Ivanov (Kaspersky Lab)

At the end of 2017 we discovered an Adobe Flash Player zero-day vulnerability (CVE-2017-11292) which was used in the BlackOasis APT. This case demonstrates that Adobe Flash Player is still a good target for threat actors.

CVE-2017-11292 is a particularly interesting type-confusion vulnerability, and there are no public reports describing it.

In this presentation we will present and release our own 'ActionScript3' processor module and debug plug-in for IDA Pro. These tools work together to complement each other, and have already shown good results in in-the-wild exploit debugging.

We analysed the Actionscript Virtual Machine (AVM) and found a way to increase analysis with the rich possibilities of IDA Pro and APIs.

In our presentation we will cover the following:

  • What exploitation techniques are used by threat actors now in Flash exploits
  • A detailed description of CVE-2017-11292
  • How to find new vulnerabilities in Adobe Flash Player
  • Our self-made IDA Pro plug-ins for analysis and debugging of Flash exploits.



Boris Larin

Boris Larin is a malware analyst at Kaspersky Lab, focused on exploits and network attack detection. His main fields of interest are reverse engineering, code deobfuscation and vulnerability research. He is also the author of educational materials for Kaspersky Academy and runs a malware reverse engineering course at Harbour.Space University in Barcelona. In his free time he likes to investigate and examine the security of embedded devices.




 Anton Ivanov

Anton graduated from Russia's Higher School of Economics in 2013, with a degree in information technology. Anton also has a Master's degree from the Russian Presidential Academy of National Economy and Public Administration. Anton joined Kaspersky Lab in 2011 as malware analyst. Now he leads the behavioural detection team. Anton has several patents relating to malware detection.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.