A new vulnerability and Proof Of Concept (PoC) code has been posted to the Full Disclosure mailing list. Chris Evans says:

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

Update: another PoC has been posted:

http://skeptikal.org/exploits/twitter/twitter_xss.html

How long do we have to wait for a fix?

You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.