Here's the point of the exploit:
1. Attacker gets a shell on your user account, perhaps by exploiting a browser vulnerability (CVE-2013-0983) or by emailing you a crafted image (CVE-2013-0975). Yes they are real, and those are only two that we know about. This is the hard part of exploitation.
2. Attacker can now read all your files, perform any actions that your user account can normally do. Usually attacker will stop here. Without knowing the system password, he can't perform system actions, primarily: can't read root-owned files, can't read files owned by other users, can't install kernel extensions, install hard-to-detect persistence, can't change passwords of other users, etc etc.
This is where the vulnerability comes in handy. if you just so happened to have ever run the "sudo" cmd successfully (as many devs do), and you are an administrative user (as the default user is in osx), the attacker can easily upgrade to a "root" shell. That's a bummer, and apple really should have patched this already, the sudo update has been around for 6 months or so now at least.