Microsoft developers have overhauled the Internet Explorer (IE) mode in the Edge browser. The reason is that in August 2025 the company received “credible reports” that unknown hackers were abusing the backward compatibility feature to gain unauthorized access to users’ devices.
“Attackers used basic social engineering alongside unpatched zero-day vulnerabilities in Internet Explorer’s JavaScript engine (Chakra) to gain access to victims’ devices,” the Microsoft Browser Vulnerability Research team said in its report.
During these attacks, documented by experts, attackers tricked users into visiting seemingly legitimate sites and then, via a pop-up on the page, instructed them to reload the page in IE compatibility mode.
After reloading the page, the attackers used an exploit for the Chakra engine and gained the ability to remotely execute arbitrary code. The attack concluded with the hackers using a second exploit to escalate privileges outside the browser, allowing them to take full control of the victim’s device.
Microsoft is not disclosing any details about the nature of the vulnerabilities, the hacker group that exploited them, or the scale of this malicious campaign.
Apparently, attackers found a way to bypass the security mechanisms built into Chromium and Microsoft Edge by running the browser in the less secure Internet Explorer compatibility mode. In effect, this allowed them to break out of the browser and carry out various malicious actions, including deploying malware, lateral movement, and data theft.
In response to these attacks, Microsoft took action and removed the corresponding button from the toolbar, the context menu, and the items in the hamburger menu.
At the same time, users who want to enable IE mode will still be able to do so. However, they will now have to explicitly activate it on a case-by-case basis through the browser settings:
- go to Settings → Default browser;
- find the option “Allow sites to be reloaded in Internet Explorer mode (IE mode)” and set it to “Allow”;
- after enabling this setting, add the specific sites that require IE compatibility to the list, then reload the site.
The developers note that restricting the launch of IE mode is necessary to strike a balance between security and the need to support legacy technologies.
“This approach ensures that the decision to load web content using legacy technologies becomes considerably more deliberate,” Microsoft writes. “The additional steps required to add a site to the list constitute a significant barrier even for the most persistent attackers.”