Full Report
Microsoft is restricting access to Internet Explorer mode in Edge browser after learning that hackers are leveraging zero-day exploits in the Chakra JavaScript engine for access to target devices. [...]
Analysis Summary
# Vulnerability: Zero-Day Exploitation of Chakra in Edge IE Mode Leading to RCE
## CVE Details
- CVE ID: Not specified in the summary (New zero-day exploit identified)
- CVSS Score: Not specified in the summary
- CWE: Specific CWE not cited, but involves JavaScript engine vulnerability leading to RCE.
## Affected Systems
- Products: Microsoft Edge (utilizing Internet Explorer (IE) Mode)
- Versions: All versions/configurations that allowed easy activation of IE Mode prior to the security update. Commercial users continue to use IE mode as configured via enterprise policies for now.
- Configurations: End-users relying on easily accessible methods (e.g., toolbar button, context menu, hamburger menu) to activate IE Mode for visiting specific websites.
## Vulnerability Description
Threat actors leveraged a zero-day exploit within the Chakra JavaScript engine utilized by Microsoft Edge's IE Mode. The attack involved social engineering, directing users to a spoofed website that tricked them into loading a page in IE Mode. Once exploited, the initial Chakra vulnerability allowed for Remote Code Execution (RCE). Attackers then leveraged a *second* vulnerability to escalate privileges and escape the browser sandbox to achieve full device control.
## Exploitation
- Status: Exploited in the wild (Confirmed by Microsoft intelligence)
- Complexity: Not explicitly detailed, but requires social engineering and exploitation of two chained vulnerabilities (Chakra RCE + Privilege Escalation/Sandbox Escape).
- Attack Vector: Network (via malicious website)
## Impact
- Confidentiality: High (Full device control achieved)
- Integrity: High (Full device control achieved)
- Availability: High (Full device control achieved)
## Remediation
### Patches
- **Chakra Exploit:** The specific exploit in Chakra remains *unpatched* at the time of the advisory dissemination.
- **Mitigation via Configuration Changes:** Microsoft has actively restricted the methods used to activate IE Mode for consumer users.
### Workarounds
Microsoft has implemented temporary restrictions by removing easy activation methods for IE Mode:
1. Dedicated toolbar button is removed.
2. Context menu option for opening in IE Mode is removed.
3. Items in the hamburger menu related to IE Mode are removed.
**Required Action for Users:** Users who still require legacy functionality must now manually navigate to **Settings > Default Browser > Allow** and explicitly define the specific pages that should load using Internet Explorer Mode. This limits the scope of potential attacks significantly.
## Detection
- Indicators of Compromise: Not specified, but successful exploitation would likely result in unusual process execution originating from the Edge process, privilege escalation events, and unauthorized remote access.
- Detection methods and tools: Not explicitly detailed, but traditional endpoint detection and response (EDR) looking for RCE chains originating from the browser process should be employed.
## References
- Vendor Advisories: Microsoft Edge Security Team Advisory (Dated October 13, 2025)
- Relevant links - defanged: hxxps://microsoftedge[.]github[.]io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/