If you have your browser set to ask where to save every time you download a file, so it gives a prompt, can malware bypass that and download automatically and run?
Although there are javascript automatic downloads, I'm pretty sure it will just give you a prompt without you clicking a download button specifically. That is of course unless it's an exploit. Running automatically should be even harder, especially for something sandboxed like Chrome. But if you have someone targeting you or something, there probably is a way.