The library, gdi32.dll, enables applications to use graphics and formatted text on both the video display and the printer.
"I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file," security researcher Mateusz Jurczyk wrote.
This is the second known bug for which there is no immediate remediation; a zero-day exploit for all versions of Windows is floating around as well, this being one that implements a SMB3 server and affects clients connecting to it.
It is the second time in the space of three months that Google has disclosed bugs affecting Windows and for which no remediation is available.
On the first occasion, Google disclosed details of a zero-day exploit which was being actively used in attacks in the wild.
The bug in gdi32.dll was initially disclosed in March 2016 and Jurczyk wrote that while he initially thought it had been patched as part of the security updates issued in June, he later found that this was not the case.
Thus, he re-issued his description of the bug in November. Ninety days from that day, the advisory he wrote became public, coming at the exact time when Microsoft cancelled its regular monthly set of updates. This month was supposed to have been the start of a new method of issuing these updates.
Comment has been sought from Microsoft.