Microsoft restrains exploited legacy IE mode in Edge browser

Threat actors have worked around the security enhancements in Microsoft's Edge web browser, by simply using social engineering to tell users to enter the legacy Internet Explorer mode to launch attacks that take full control of victims' devices.

Edge is based on the open source Chromium browser engine, whereas the Microsoft in-house developed Internet Explorer (IE) harks back to 1995, was set to end-of-life in June 2022, and is no longer supported.

Internet Explorer is nevertheless still in use by a small number of sites that depend on legacy technologies such as Microsoft ActiveX and Adobe Flash.

Business applications, older security camera interfaces, and some government portals still use IE mode, Gareth Evans of Microsoft's Browser Vulnerability team explained, as it's slow or impractical to update the underlying technology stacks.

Unlike Chromium-based web browsers, IE was not designed with robust architecture and defence-in-depth mitigations.

That weakness has been noted by attackers who in August this year used basic social engineering tactics along with exploiting a zero-day vulnerability in IE's Chakra JavaScript engine to bypass Edge's Chromium-enhanced security.

Evans said the threat actors would lure victims to an official-looking spoofed website, which showed a fly-out menu telling users to reload the page in IE mode.

Once the page was reloaded, the attackers would exploit the Chakra vulnerability for remote code execution, followed by using a second flaw to elevate their privileges to attain full control of victims' devices.

If succesful, this could lead to malware installation, lateral movement within corporate networks, or exfiltration of sensitive data, Evans said.

Now, Microsoft's Edge browser security team has removed what it said are the highest entry points for loading a web page in IE mode.

This includes the dedicated toolbar button, context menu, and the "hamburger menu" items.

It means that IE mode will need to be explicitly enabled on a site-by-site basis for non-commercial users. 

No changes were made to the logic for enabliing IE mode through enterprise policies.

It is not clear if Microsoft has patched the Chakra vulnerability in IE mode.