"But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you
alter other processes within the same session it is fairly trivial to do."
And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)
It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2
Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The
additional password request?
Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.
1) You just hide it inside rundll or name it creatively. Or have your entire logic only exist within existing processes, so for example you inject the logic into all the processes on the system, close, and those processes poll the OS for any new processes
and pass it on if one exists. The only hard part about that is making sure that you don't inject twice or twice at the same time.
2) If they don't escalate any of the applications then you've lost nothing.
3) The standard account only removes a limited amount of threat. It just means that if processes are launched directly into the admin's session they MIGHT be clean. It can be bypassed and can be broken. But it is harder than UAC on the same account is. A
lot of these same techniques work on both but not all of them. Fast user switching or logging out defeats much more however.