Microsoft Patches Edge IE Mode After Hackers Exploited Chakra Zero-Day
The Microsoft Edge Security Team has introduced sweeping changes to the operation of Internet Explorer Mode after confirming a series of targeted cyberattacks exploiting its legacy components. Experts discovered that malicious actors had been abusing vulnerabilities in the obsolete JavaScript engine Chakra, embedded within Internet Explorer, to gain remote access to user devices. The attacks underscored a troubling reality: even in modern browsers, legacy functionalities can serve as dangerous gateways for system compromise.
Internet Explorer Mode in Edge was originally conceived as a temporary bridge to support older websites and corporate portals that still rely on deprecated technologies such as ActiveX and Flash. Although most of the web has since migrated to modern standards, many organizations continue to depend on outdated interfaces — from video surveillance systems to government platforms, where infrastructure upgrades remain challenging. Microsoft therefore preserved IE Mode to ensure compatibility, allowing such sites to open without the need to maintain the full Internet Explorer browser.
Yet the architecture of Internet Explorer is far removed from contemporary security standards. Its lack of multi-layered protection mechanisms, inherent to Chromium, leaves this mode exposed to attacks that modern browsers routinely deflect. In August 2025, Microsoft researchers obtained credible evidence that cybercriminals were exploiting zero-day vulnerabilities in Chakra, combined with social engineering, to infiltrate target systems.
The attack scenario unfolded as follows: adversaries created a fraudulent website, visually indistinguishable from a legitimate one, and lured users into reloading the page in IE Mode through a deceptive pop-up prompt. Once the mode was activated, the attackers deployed an exploit for arbitrary code execution, followed by a secondary vulnerability that allowed them to escape the browser sandbox and seize full control of the device.
This technique effectively bypassed all built-in Edge security layers, enabling the installation of malware, the theft of confidential data, and lateral movement across corporate networks. To halt the exploitation, the Edge team swiftly removed the most high-risk IE Mode activation points — including the toolbar button, context menu, and main interface option. Enterprise users who rely on IE Mode through group policies may continue to do so without restrictions. For individual users, the feature remains available, but it must now be manually enabled for each specific website via Settings → Default Browser, by activating “Allow sites to be reloaded in Internet Explorer mode” and adding the required pages to the compatibility list.
This change makes enabling the mode a deliberate and informed action, greatly complicating attackers’ ability to trick users into activating it with a single click. Now, each site must be explicitly added, effectively eliminating the possibility of inadvertently loading malicious pages in the unsafe IE environment.
Microsoft reminds users that official support for Internet Explorer 11 ended on June 15, 2022, and strongly urges the abandonment of obsolete web technologies. Modern browsers provide not only superior security, but also enhanced performance, stability, and compatibility. Users can verify whether IE Mode is active by opening Edge settings and ensuring the Default Browser configuration is properly adjusted.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
