I am adding the call stack below:

0:000> sxe ld shcore
0:000> g
RecursiveDirectoryCreate( C:\Users\administrator.SAHGZ\AppData\Local\Google\Chrome\User Data directory exists )
(ce0.a98): Unknown exception - code 000006a6 (first chance)
ModLoad: 62d00000 62d0b000   C:\Python27\shcore.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Google\Chrome\Application\56.0.2924.87\chrome_elf.dll - 
eax=00000000 ebx=0014f450 ecx=0014f314 edx=77606bf4 esi=ffffffff edi=0014f46c
eip=77606bf4 esp=0014f280 ebp=0014f324 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000282
ntdll!KiFastSystemCallRet:
77606bf4 c3              ret
0:000> kp
ChildEBP RetAddr  
0014f27c 6908a00c ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
0014f324 690259cd chrome_elf!InjectDumpForHangDebugging+0x47c6c
0014f380 77620490 chrome_elf!SuccessfullyBlocked+0x6fd
0014f3d8 77620506 ntdll!LdrpMapViewOfSection+0xc7
0014f470 7761fa1e ntdll!LdrpFindOrMapDll+0x313
0014f5fc 77622167 ntdll!LdrpLoadDll+0x2d6
0014f634 757cb22e ntdll!LdrLoadDll+0xaf
0014f67c 763af103 KERNELBASE!LoadLibraryExW+0x215
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Google\Chrome\Application\56.0.2924.87\chrome.dll - 
0014f690 5c900623 kernel32!LoadLibraryW+0x11
0014f6a0 5cebf822 chrome_5bc80000!RelaunchChromeBrowserWithNewCommandLineIfNeeded+0x581f4
0014f6b8 5cebfe55 chrome_5bc80000!GetHandleVerifier+0x5ad422
0014f774 759d3462 chrome_5bc80000!GetHandleVerifier+0x5ada55
0014f798 77606b2e USER32!__ClientMonitorEnumProc+0x22
0014f7cc 759d3487 ntdll!KiUserCallbackDispatcher+0x2e
0014f7d0 5cec08ed USER32!NtUserEnumDisplayMonitors+0xc
0014f808 5d7ef33a chrome_5bc80000!GetHandleVerifier+0x5ae4ed
0014f824 5d537314 chrome_5bc80000!IsSandboxedProcess+0x6b2895
0014f858 5c8937b5 chrome_5bc80000!IsSandboxedProcess+0x3fa86f
0014f8a0 5c5350a3 chrome_5bc80000!ovly_debug_event+0xb1d885
0014f934 5be5e60f chrome_5bc80000!ovly_debug_event+0x7bf173
0014f948 5c5353cc chrome_5bc80000!ovly_debug_event+0xe86df
0014f9b0 5c53827a chrome_5bc80000!ovly_debug_event+0x7bf49c
0014fa74 5c533ace chrome_5bc80000!ovly_debug_event+0x7c234a
0014fa94 5c871cf5 chrome_5bc80000!ovly_debug_event+0x7bdb9e
0014fae0 5bd75e73 chrome_5bc80000!ovly_debug_event+0xafbdc5
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for chrome.exe - 
0014fb28 001e58d9 chrome_5bc80000!ChromeMain+0x150
0014fbec 001e1c24 chrome+0x58d9
0014fd14 0024bff8 chrome+0x1c24
0014fd60 763aef1c chrome!IsSandboxedProcess+0x2df68
0014fd6c 77623648 kernel32!BaseThreadInitThunk+0xe
0014fdac 7762361b ntdll!__RtlUserThreadStart+0x70
0014fdc4 00000000 ntdll!_RtlUserThreadStart+0x1b

Mitigation:

Specify a fully qualified path when using the LoadLibrary, LoadLibraryEx, CreateProcess, or ShellExecute functions 

OR

Use the LOAD_LIBRARY_SEARCH flags with the LoadLibraryEx function, or use these flags with the SetDefaultDllDirectories function to establish a DLL search order for a process and then use the AddDllDirectory or SetDllDirectory functions to modify the list.

(Ref:https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396) 

As a general rule, DLL replacement is outside of Chrome's threat model; permitting limited users to write to directories in another user's PATH variable is a configuration mistake on the system:

https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

It's unclear whether adopting Microsoft's DLL Loading advice would break anything we care about; it might be a nice defense-in-depth to match other browsers.  

Thanks for your response. I agree that if an Admin sets the system PATH variable to contain a world writable directory then it is a configuration mistake. However, the intent of the Admin is to get python running quickly. If a Windows application like Chrome does not restrict the sources from where the DLLs it uses are loaded, it is bound to get into trouble. 

Microsoft tries its best to find the DLL. But I believe the onus is upon Chrome developers to limit locations which they trust to pick Dlls from and directories mentioned in the PATH variable should never be trusted. That said Microsoft does provide preventive measures to restrict the source directories from where a Windows app picks the DLLs. The big question then is why not use these preventive measures?

Additionally, with reference to the article you shared; it states that "We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account". In my bug description I am referring to a case where a limited user is able to plant the DLL and an Admin then runs Chrome. So the limited user need not log in as an Admin and neither is the limited user required to run a software with the privileges of Admin's user account. It appears to be a clear case of privilege escalation. In the past Microsoft themselves have accepted such vulnerabilities, for instance CVE-2016-0041.

I would be extremely surprised if the Chrome team does not take preventive measures against insecure DLL loading.

Please also note that in CVE-2016-0041 - Among the many Microsoft software that tried to search for the culprit phoneinfo.dll; MS Edge was one of them.  

For what it's worth, sandboxed render processes do appear to call SetDefaultDllDirectories: https://cs.chromium.org/chromium/src/sandbox/win/src/process_mitigations.cc?q=LOAD_LIBRARY_SEARCH+package:%5Echromium$&l=48&dr=C but I wasn't able to find any equivalent calls for the outer browser process.

> So the limited user need not log in as an Admin and 
> neither is the limited user required to run a software 
> with the privileges of Admin's user account. 
> It appears to be a clear case of privilege escalation. 

The privilege escalation occurs at the moment when the limited user is able to copy a DLL to a PATH used by another user (as a result of the configuration mistake).

> In the past Microsoft themselves have accepted such vulnerabilities

Sometimes. I have submitted many instances of DLL hijacking issues to MSRC (see e.g. https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/). Microsoft application teams typically say this isn't an application security bug, while Microsoft's OS team maintains that this isn't a platform security bug. Internet Explorer has patched issues of this nature (http://www.macworld.com/article/1133703/ms_safari.html) while other teams have not.

Marking as wontfix as this looks like a physically local attack as per comment 3.

elawrence@: if you think there is action that we really do want to take here, please re-open :)

Eric, thanks for sharing your experience with Microsoft. 

Over the years Chrome has earned the reputation of the safest browser in the market and I would appreciate if just like IE and MS Edge, Chrome as well takes remediation steps (at least to be at par with other browsers) to protect the outer browser process.

I agree with the fact that Microsoft has been accepting DLL hijacking issues when applicable only to their browsers, which makes this issue all the more relevant for Chrome.

I would request you to consider this for the betterment of the product. 

Hi, Since there is no commitment from Chromium team to fix this issue, I intend to make this vulnerability public on 14th March.

This would help Chrome customers realize that their browser may load DLLs from unsolicited directories and as a result arbitrary code could be executed with elevated privileges.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot