nerdexam
Cisco

210-255 · Question #34

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicous code is on an external site that is being visited by hosts on

The correct answer is A. Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0). The MSIE token and Trident rendering engine in a User-Agent string positively identify Internet Explorer, the browser targeted by the reported exploit.

Network Intrusion Analysis

Question

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicous code is on an external site that is being visited by hosts on your network. Which user agent in the HTTP headers in the requests from your internal hosts warrants further investigation?

Options

  • AMozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)
  • BMozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805
  • CMozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101
  • DOpera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

How the community answered

(47 responses)
  • A
    74% (35)
  • B
    6% (3)
  • C
    15% (7)
  • D
    4% (2)

Why each option

The MSIE token and Trident rendering engine in a User-Agent string positively identify Internet Explorer, the browser targeted by the reported exploit.

AMozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)Correct

The string 'MSIE 10.0' is the definitive User-Agent token for Microsoft Internet Explorer 10, and 'Trident 6.0' confirms its proprietary rendering engine. Because the malicious code specifically exploits Internet Explorer, any internal host presenting this User-Agent was running the vulnerable browser when visiting the external site. This combination of MSIE and Trident is the key indicator linking that host to the exploitable attack surface.

BMozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805

This User-Agent identifies Mozilla Firefox on Linux using the Gecko engine, which is not Internet Explorer and is not affected by an IE-specific exploit.

CMozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101

This User-Agent represents Mozilla Firefox on Windows using the Gecko engine; despite the Windows platform, it is not Internet Explorer and is not the targeted browser.

DOpera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

This User-Agent identifies the Opera browser on Linux using the Presto rendering engine, which is unrelated to Internet Explorer and unaffected by the reported vulnerability.

Concept tested: Identifying Internet Explorer via HTTP User-Agent header analysis

Source: https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537503(v=vs.85)

Topics

#HTTP user agent#browser exploit#Internet Explorer#malicious traffic

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice