Microsoft is restricting access to Internet Explorer (IE) mode within its Edge browser after discovering that threat actors were exploiting zero-day vulnerabilities. The attacks leverage the Chakra JavaScript engine to gain remote code execution on target devices.
The company’s Edge security team received intelligence in August indicating a new threat vector. According to Gareth Evans, Microsoft Edge Security Team Lead, “The [Edge security] team recently received intelligence indicating that threat actors were abusing Internet Explorer (IE) mode within Edge to gain access to unsuspecting users’ devices.” The attack combines social engineering with the software exploit. Threat actors direct targets to what was described as an “official-looking spoofed website” which then prompts the user, through an interface element, to load the page in IE mode. This action triggers the exploit.
The attack unfolds in multiple stages. Once the initial zero-day vulnerability in the Chakra engine is exploited, the attacker leverages a second, unspecified vulnerability. This secondary exploit allows for privilege escalation, enabling the attacker to escape the browser’s security sandbox. After breaking out of the browser’s confines, the threat actor can take full control of the device. Microsoft did not release identifiers for the vulnerabilities involved and confirmed that the flaw in the Chakra engine remains unpatched.
Microsoft Edge hits sub-300ms content load time
IE mode was initially retained in the Edge browser for legacy compatibility purposes, even after official support for Internet Explorer ended on June 15, 2022. The feature allows access to older web technologies, such as ActiveX and Flash, which a small number of business applications and government portals still use.
To mitigate the immediate risk, Microsoft has removed the simple, one-click methods for activating IE mode. The dedicated toolbar button, the context menu entry available via a right-click, and the option located in the main hamburger menu have all been disabled for general users. These changes are intended to make the activation of IE mode a more intentional user action, thereby reducing the chance of accidental or malicious use.
Users who still need to access sites with IE mode must now navigate to Settings > Default Browser > Allow. In this section, they are required to explicitly define the specific pages that are permitted to load using the Internet Explorer engine. This requirement for an approved list of websites is designed to make it significantly more difficult for attackers to succeed with their exploit. These restrictions do not apply to commercial users, who can continue to use IE mode as configured through enterprise policies. Microsoft advised all users to migrate from legacy Internet Explorer technologies to modern products for better security, reliability, and performance.
