Microsoft is restricting access to Internet Explorer mode in Edge browser after learning that hackers are leveraging zero-day exploits in the Chakra JavaScript engine for access to target devices.
The tech giant did not share too many technical details but said that the threat actor combined social engineering with an exploit in Chakra to gain remote code execution.
"The [Edge security] team recently received intelligence indicating that threat actors were abusing Internet Explorer (IE) mode within Edge to gain access to unsuspecting users' devices," says Gareth Evans, Microsoft Edge Security Team Lead.
Although support for Internet Explorer ended on June 15, 2022, Microsoft Edge has an IE mode for legacy compatibility with older technologies (ActiveX and Flash) still in use with a small set of business applications and government portals.
In August, the Edge security team learned that threat actors were directing targets to "an official-looking spoofed website" that prompted users, through an interface element, to load the page in IE mode.
After exploiting the zero-day in Chakra, the attacker leveraged a second vulnerability to increase privileges and escape the browser, and take full control of the device.
Evans did not provide identifiers for the exploited vulnerabilities and said the flaw in Chakra is unpatched.
To mitigate the risk, Microsoft removed the methods that allowed activating IE mode in Edge through easy methods, like the dedicated toolbar button, context menu, and items in the hamburger menu.
Users who want IE mode active now have to navigate to Settings > Default Browser > Allow and define the pages that should be loaded using Internet Explorer.
The new restrictions aim at making the activation of IE mode an intentional user action. Furthermore, the list of websites approved to load in IE mode should make it very difficult for attackers to succeed in their compromise attempts.
These changes do not apply to commercial users, who will continue to use IE mode as configured through enterprise policies.
However, Microsoft reminded users that they should migrate from the legacy web technology in Internet Explorer to modern products that deliver better security, are more reliable, and come with improved performance.
(Score: 5, Interesting) by RamiK on Thursday October 16, @12:16PM (2 children)
https://www.ietab.net [ietab.net]
There's even competitors: https://ieability.com [ieability.com]
And, of course, Edge's own IE mode...
Healthcare, finance, aviation... What could possibly go wrong?
The Microsoft ecosystem in a nutshell.
compiling...
(Score: 0) by Anonymous Coward on Friday October 17, @04:28AM (1 child)
Oh, thank you so much. Here I thought that the IE11 nightmare would end in 2029 when the Enterprise Mode for Internet Explorer ends but no, these people are going to keep it around forever. Lovely.
(Score: 2) by RamiK on Saturday October 18, @09:26AM
FYI IE11 is available in Windows 10 IoT Enterprise LTSC 2022 (22h2, x64) and Server 2022 with a lifecycle that will last at least into early 2032 unless further extensions will be offered by some monthly subscription scheme. e.g. Server 2012's IE11 just recently received a version bump update under such a paid monthly updates programs: https://support.microsoft.com/en-us/topic/kb5065435-cumulative-security-update-for-internet-explorer-september-9-2025-de01367f-730b-4281-8a65-1f8996865725 [microsoft.com]
compiling...
(Score: 5, Insightful) by looorg on Thursday October 16, @02:44PM (2 children)
Best guess is that this is the explanation. Someone once upon a time wrote something with something like this and they just can't be bothered, or have the knowledge, to update it to something more modern. There is no available source anymore. So they would have to reinvent the wheel. Instead they'll just keep driving along until it all breaks down. Old Crud is old crud. This is the worst kind. Adobe Crud.
At least I know what the COBOL I wrote does. Flash? No idea.
(Score: 0) by Anonymous Coward on Friday October 17, @04:57AM (1 child)
People who support systems should know that software developers have a 'fire and forget' approach. Don't expect them to fix their bugs after a release. Especially true for free software and games. If you are expecting otherwise, don't hold your breath.
(Score: 4, Informative) by jb on Friday October 17, @06:46AM
Actually, in the free software world you're much more likely to see bugs being fixed post release (and indeed pre release) than in the dystopian proprietary software world (where bugs are simply redefined as "features" more often than not).