The impact of Internet Explorer is still being felt years after the world moved on from the web browser. Microsoft has announced that it is “Restraining IE Mode Access” in Microsoft Edge, citing concerns about exploitation of 0day vulnerabilities in Internet Explorer’s JavaScript engine.
That Internet Explorer continues to live on in Edge remains astonishing to many, but it has been retained for compatibility issues. Nonetheless, Microsoft is now taking steps to plug holes that have enabled threat actors to gain access to devices.
Microsoft says that the Edge browser security team “recently received intelligence indicating that threat actors were abusing Internet Explorer (IE) mode within Edge to gain access to unsuspecting users’ devices”.
The company goes on to justify keeping Internet Explorer components within Edge:
While the majority of the web has transitioned to modern standards, there remains a small subset of sites that still depend on legacy technologies such as ActiveX and Flash. This is especially prevalent in business applications, older security camera interfaces, and some government portals, where updating underlying technology stacks is often slow or impractical. For this reason, Microsoft Edge offers Internet Explorer mode so that users can complete their tasks on pre-selected sites then return safely to Edge.
There then follows a curious admission of IE’s failings:
However, it is important to recognise that Internet Explorer was not designed with the robust architecture and defence-in-depth mitigations that we have come to expect from modern Chromium-based browsers such as Edge. This exposes users of such browsers to risks that contemporary products are explicitly engineered to mitigate.
Microsoft goes on to provide some information about exploits that combine social engineering with software vulnerabilities:
In August 2025, the Edge security team received credible intelligence that threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer’s JavaScript engine (Chakra) to gain access to victim devices. The attacker would first convince the victim to navigate to an official-looking spoofed website, then use a flyout on the page to request the user to reload the page in Internet Explorer mode. The attackers would then leverage a Chakra (IE’s JavaScript engine) exploit to gain remote code execution. Finally, the attackers would use a second exploit to elevate their privileges out of the browser to gain full control of the victim’s device.
This attack vector is particularly concerning because it bypasses many of the security enhancements present in Chromium by reverting to IE’s older execution environment. Successful exploitation could result in the installation of malware, lateral movement within corporate networks, or exfiltration of sensitive data.
Microsoft has now implemented changes that require IE Mode to be manually enabled for every site for which it is needed, helping to avoid leaving systems exposed.
The security team explains:
With clear evidence of active exploitation and users at risk, the Edge browser security team took decisive action to remove the highest-risk entry points for loading a page in IE Mode, including the dedicated toolbar button, context menu, and the hamburger menu items. No changes were made to the logic for commercial users to enable IE mode through enterprise policies. For non-commercial users with a need for Internet Explorer compatibility, IE mode remains available, but must now be explicitly enabled on a site-by-site basis via Edge’s settings:
- Navigate to Settings > Default Browser.
- Locate the option labeled Allow sites to be reloaded in Internet Explorer mode and set it to Allow.
- After enabling this setting, add the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list.
- Reload the site; it should now open in IE mode with the required compatibility.
This approach ensures that the decision to load web content using legacy technology is significantly more intentional. The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers to overcome.
Image credit: Simon Lehmann / Dreamstime.com
