Let me be more explicit: There is nothing that malware can do today that can't be done without privileged access. I'm not talking about the way they can modify the system, but the intended result of the modification. Malicious hackers may not be able to modify System32 or sbin, but they can still intercept your identity and steal all your money, without modifying your operating system or (in the case of memory-resident-only malware) a single file.
Just to be clear: Not having admin or root access does limit the possibilities for malware writers. They can't take their pick of all the current low-hanging fruit, but there are still plenty of ways to hack a user's computer without privileged access, and that's the pity. For years and years, we've been saying that users need nonprivileged accounts to do most of their work. We say this as if it is the Holy Grail of computer security -- as if it will end all malware as we know it today. But ultimately, this one change won't amount to a hill of beans. Malware writers will learn what it takes to do all the things they need to do without requiring admin access. They have many malware programs they can study today, and certainly, they will develop many new methods in the future.
Stopping malware isn't as easy as not being logged in as a nonadmin. For a real, long-term solution, see next week's column.