Danger from the Grave: Microsoft Buries IE Even Deeper

The Internet Explorer is not dead yet. At least not completely. Attackers have been actively exploiting zero-day vulnerabilities in the outdated Chakra JavaScript engine since August 2025. Microsoft has now reacted and fundamentally rebuilt the IE compatibility mode in Edge. As the Edge security team reports informs, attackers combined social engineering with an exploit chain to gain full control over target systems.

The IE mode allows Edge users to load websites in the old Internet Explorer environment, intended for legacy applications that rely on outdated technologies like ActiveX or Flash. Although Internet Explorer officially reached its end of life on June 15, 2022, the compatibility mode remains available for enterprise applications and government portals. It is not the first time that remnants of the Microsoft browsers become a security problem have become a security problem.

System takeover in three steps

The current attack chain began with fake websites that imitated legitimate services. Via a flyout element, the attackers prompted their victims to reload the page in IE mode. There, they first used an unpatched vulnerability in the Chakra engine for the injection and execution of malicious code (Remote Code Execution). A second exploit then enabled the breakout from the browser to compromise the entire system (Privilege Escalation).

Microsoft has neither published CVE numbers nor provided an explicit patch for the Chakra vulnerability. Instead, in response to the attacks, the company has simply removed all easy access routes to IE mode: the dedicated toolbar button, the context menu entry, and the option in the so-called hamburger menu have disappeared. Whether the Cumulative Update for IE released in September fixes the security vulnerabilities themselves remains unclear.

Cumbersome path as a security measure

Anyone who wants to use IE mode in the future must explicitly activate it in the Edge settings under edge://settings/defaultBrowser and manually add each individual URL to an allowlist. Only after a browser restart can the listed pages be loaded in IE mode. Microsoft is counting on this cumbersome process, giving users more time to recognize fake URLs and make the decision more consciously.

For enterprise customers with centrally managed IE mode policies, nothing changes—they can continue to configure compatibility mode via Group Policy. However, Microsoft emphasizes again that organizations should accelerate their migration from legacy technologies to benefit from the security architectures of modern browsers. Those who value security leave IE switched off.

The decision to restrict access as a reaction to acute attacks instead of providing dedicated patches is remarkable. Apparently, even Microsoft considers Internet Explorer no longer maintainable and the risk of further zero-days too high. The fact that a product officially dead for almost three years still serves as an attack vector illustrates the dilemma of backward compatibility: what was intended as a bridge for the transition becomes a permanent weak point. Companies that are still dependent on ActiveX controls in 2025 should take this warning as a final wake-up call.

(ju)