Google security researcher Chris Evans has revealed details of the vulnerability in a post to the Full Disclosure mailing list, according to Australian reports.
Evans said the vulnerability could be exploited to steal data or allow an arbitrary website to force a user to post a message on a social networking site such as Twitter.
The post included a link to a proof-of-concept exploit, a practice that Microsoft has repeatedly condemned.
Microsoft called for "co-ordinated vulnerability disclosure" in a blog post in late July, to get security researchers to reveal security flaws to Microsoft before going public.
According to Evans, Apple, Google, Mozilla and Opera have fixed the flaw in their browsers, but he has tried to get Microsoft to release a patch without success.
Microsoft has indicated that it is aware of the issue and is investigating, but said the company was unaware of any attacks trying to use the claimed vulnerability.
This story was first published by Computer Weekly