Microsoft Disables IE Mode in Edge After Hackers Abused It for Attacks
Microsoft has overhauled the Internet Explorer (IE) mode in the Edge browser after receiving “credible reports” in August 2025 that threat actors were exploiting the feature to gain unauthorized access to user devices.
According to the Microsoft Browser Vulnerability Research team, attackers combined basic social engineering with unpatched zero-day vulnerabilities in Internet Explorer’s JavaScript engine (Chakra) to compromise systems.
How the Exploit Worked
In the documented attacks, victims were lured to fake but convincing websites and prompted through a pop-up to reload the page in IE compatibility mode. Once the page reloaded, attackers exploited a vulnerability in Chakra, allowing remote code execution, and then chained a privilege escalation exploit outside the browser to take full control of the system.
Microsoft has not released technical details about the vulnerabilities, the threat group involved, or the scale of the campaign.
Researchers believe the attackers effectively bypassed Chromium and Edge security mechanisms by forcing the browser to operate in the legacy, less secure IE environment. This gave them the ability to escape the browser sandbox, install malware, move laterally, and steal data.
Microsoft’s Response
In response, Microsoft removed the “Reload in Internet Explorer mode” button from Edge’s toolbar, context menu, and main menu.
However, users who still need to access legacy web applications can manually enable the feature:
- Go to Settings → Default browser
- Find “Allow sites to reload in Internet Explorer mode (IE mode)” and set it to Allow
- Add specific sites requiring compatibility to the list and reload the page
Balancing Compatibility and Security
Microsoft said these restrictions aim to strike a balance between supporting older web technologies and maintaining user safety.
“This approach ensures that the decision to load web content using legacy technologies becomes significantly more conscious,” the company wrote. “The additional steps required to add a site to the list present a serious barrier even for the most persistent attackers.”
While the company continues to phase out Internet Explorer and its components, this latest change underscores how legacy compatibility features can introduce unexpected attack surfaces—even within modern browsers.
