Microsoft has moved swiftly to tighten security in its Edge browser by reworking access to IE (Internet Explorer) mode after reports emerged that threat actors were turning the legacy compatibility feature into a backdoor. According to Microsoft’s Browser Vulnerability Research team, attackers used social engineering to trick users into reloading sites in IE mode, then exploited zero-day vulnerabilities in the Chakra JavaScript engine to execute malicious code and escalate privileges. In response, Microsoft removed quick-access buttons and menu shortcuts for IE mode; now users must explicitly opt in and whitelist sites via deeper browser settings. This shift aims to prevent attackers from abusing backward compatibility as a weak point.
Sources: The Hacker News, SC World
Key Takeaways
– Attackers exploited IE mode in Edge by social engineering users to reload pages under legacy-engine conditions, enabling remote code execution and privilege escalation.
– Microsoft removed UI shortcuts and toolbar buttons for IE mode, forcing users to explicitly enable it and whitelist specific sites via settings.
– The change reflects a shift toward more deliberate, permission-based legacy support to reduce attack surface.
In-Depth
For years, Microsoft has maintained an IE mode inside Edge to preserve backward compatibility with older web apps and corporate intranet sites built on legacy technologies. But that very convenience is now under scrutiny. In August 2025, Microsoft received credible intelligence that threat actors were abusing IE mode as an entry point. The attackers persuaded users—often via social engineering tactics—to reload a site in IE mode, where the browser disabled or bypassed modern protections baked into Edge’s Chromium foundation. In that weakened state, the attackers exploited two separate zero-day vulnerabilities tied to the Chakra JavaScript engine (originally from Internet Explorer), first achieving remote code execution from within the browser context, then climbing out via privilege escalation to take full control of the device.
What’s especially dangerous about this is that it subverts modern browser defenses by reintroducing a legacy engine under conditions that allow exploits to bypass sandboxing, content security policies, and newer mitigations. Once control was achieved, attackers could deploy malware, move laterally within networks, or exfiltrate sensitive data. Reports indicate Microsoft withheld details about the vulnerabilities themselves or the scale of attacks, preferring to move rapidly to mitigate the issue rather than dwell on disclosure.
To address it, Microsoft removed all IE mode shortcuts—toolbar buttons, context-menu entries, and menu items are gone. Now, users who genuinely require legacy behavior must explicitly enable “Allow sites to be reloaded in Internet Explorer mode” in Edge’s Default Browser settings, then manually add needed sites to a whitelist. That extra friction is designed as a barrier for attackers, forcing more deliberate steps if someone tries to misuse IE mode. In Microsoft’s words, this change “ensures that the decision to load web content using legacy technology is significantly more intentional.”
This adjustment underscores a tension: on one hand, enterprises still depend on legacy web applications; on the other, legacy components pose serious security risks when reintroduced. The move leans toward security by default, making it harder for attackers to exploit backward compatibility. Going forward, administrators and users will need to review which legacy sites truly need IE mode, and restrict use tightly. It also suggests that Microsoft anticipates continued threat actors hunting residual legacy engines in modern contexts.