After discovering that hackers were exploiting a zero-day in the Chakra JavaScript engine used by Internet Explorer versions 9, 10, and 11, Microsoft has taken swift action to modify the IE Mode access policy within the Microsoft Edge browser. Under the new policy, enabling IE Mode to access certain websites will become a significantly more complex process.
Although Internet Explorer officially reached its end of support on June 15, 2022, some government and enterprise websites still require the IE rendering engine for compatibility reasons. To address this, Microsoft integrated IE Mode into Edge, allowing users to switch from the Chromium engine to the legacy IE engine to maintain access to such sites.
However, starting in August 2025, Microsoft’s team received threat intelligence reports indicating that cybercriminals had begun directing users to deceptive phishing websites disguised as legitimate domains. These malicious pages prompted visitors to switch to IE Mode under the pretense of resolving loading issues, thereby tricking them into activating the mode within Edge.
Once IE Mode was engaged, the phishing sites exploited the Chakra engine to launch attacks. In later stages, attackers chained the exploit with additional to escalate privileges and escape the browser sandbox, ultimately achieving full device compromise — posing severe risks to affected users.
To mitigate such threats, Microsoft now requires users to manually configure IE Mode within Edge’s settings. Users must navigate to Settings → Default Browser → Allow Sites to be Reloaded in IE Mode, then manually add the target domain before the browser will permit IE-based access.
This change is designed to ensure that enabling IE Mode becomes a deliberate and informed action, preventing users from being unknowingly manipulated into activating it through fraudulent prompts or quick-access icons in the Edge menu.
Notably, this policy update does not apply to enterprise environments. IT administrators within organizations can still manage IE Mode access through group policies, either enabling it for specific legacy sites or restricting it entirely to enhance overall — especially as the majority of modern websites no longer require IE compatibility.
- North Korean Hackers Exploit Zero-Day Flaw (CVE-2024-38178) in “Operation Code on Toast”
- Check Point Research Details 0-Day Flaw (CVE-2024-38112), Threatens Windows Users
- Operation “Code on Toast”: A Deep Dive into TA-RedAnt’s Exploitation of Zero-Day Flaw (CVE-2024-38178)
- Google exposes a Microsoft Edge browser flaw
- Microsoft released April Patch Tuesday to fix 67 security issues
