Internet Explorer becomes a security vulnerability

IE believed to be dead becomes a security vulnerability: Microsoft reacts

Following active attacks, Microsoft has drastically restricted the Internet Explorer mode in Edge. Attackers even used zero-days to take over systems.

Internet Explorer is still not dead. At least not really. Attackers have been actively exploiting zero-day vulnerabilities in the outdated Chakra JavaScript engine since August 2025. Microsoft has now reacted and fundamentally rebuilt the IE compatibility mode in Edge. According to the Edge security team, the attackers combined social engineering with an exploit chain to gain complete control over target systems.

IE mode allows Edge users to load websites in the old Internet Explorer environment - intended for legacy applications that rely on outdated technologies such as ActiveX or Flash. Although Internet Explorer officially reached its end of life on June 15, 2022, Compatibility Mode remains available for enterprise applications and government portals. This is not the first time that remnants of Microsoft's browser, which has a reputation as a security risk, have become a security problem.

Three steps to system takeover

The current chain of attacks began with fake websites that imitated legitimate services. Using a flyout element, the attackers asked their victims to reload the page in IE mode. There, they first exploited an unpatched vulnerability in the Chakra engine to inject and execute malicious code (remote code execution). A second exploit then made it possible to break out of the browser in order to compromise the entire system (privilege escalation).

Microsoft has neither published CVE numbers nor provided an explicit patch for the Chakra vulnerability. Instead, in response to the attacks, the company quickly removed all simple access paths to IE mode: the dedicated toolbar button, the context menu entry and the option in the so-called hamburger menu have disappeared. Whether the Cumulative Update for IE released in September will eliminate the security gaps itself is therefore still unclear.

Cumbersome way as a security measure

If you want to use IE mode in future, you have to explicitly activate it in the Edge settings under edge://settings/defaultBrowser and manually add each individual URL to an allowlist. The listed pages can only be loaded in IE mode after a browser restart. Microsoft hopes that this cumbersome process will give users more time to recognize fake URLs and make the decision more consciously.

For enterprise customers with centrally managed IE mode policies, nothing will change - they can continue to configure compatibility mode via Group Policy. However, Microsoft reiterates that organizations should accelerate their migration from legacy technologies to take advantage of the security architectures of modern browsers. Those who value security should leave IE switched off.

The decision to restrict access instead of dedicated patches in response to acute attacks is remarkable. Apparently, even Microsoft considers Internet Explorer to be unmaintainable and the risk of further zero days to be too high. The fact that a product that has officially been dead for almost three years still serves as an attack vector illustrates the dilemma of backward compatibility: what was intended as a bridge for the transition is becoming a permanent breaking point. Companies that still rely on ActiveX controls in 2025 should take this warning as a final wake-up call.

Found at https://www.heise.de/news/Gefahr-aus-dem-Grab-Microsoft-verbuddelt-IE-noch-tiefer-10761101.html