Some people feel safe knowing that they have zero or only one remote exploit, even though they have 400 local ones, because they're the only local user on their local desktop box. This is a falsehood. Local exploits are just as dangerous if not moreso than remote exploits.
A remote exploit doesn't always mean root access. If an attacker exploits Firefox or XMMS, he can get local user access. This could be just a normal user account, but it's a way in. The more common social engineering tactics don't even need a remote exploit if the worm does something pretty, like display fireworks or pretend to be a screensaver.
This means that access to a local account, whether by remote exploit or by social engineering and worms, is fairly likely. Complex attacks aren't needed, nor are large amounts of stealth. Payloads don't need to go on the same day. All that's needed is one simple remote exploit into a user's account. Just slip a bit of a program in, make changes to the user's account, dump a worm in ~/.mozilla/firefox/plugins.p9, then crash Firefox gracefully, and nobody will suspect anything.
With the above attack on Firefox, the user predictably sees a bug in the browser, and ignores it. The worm can now run when the user logs in and check a site for encrypted plug-ins to let it attempt to exploit local privilege elevation exploits. This allows the worm to spread to other accounts or, ideally, to root. Since the plug-ins are encrypted, an IDS won't notice the malicious code. Base64 encode the encrypted data and it looks just like text.
Even if the worm doesn't get root with a local exploit, it can spread around user accounts and gain a better operating position. Worm children can use AF_UNIX sockets or shared memory keys to communicate and operate distributed across user accounts to look less suspicious. They could even operate with a Firefox extension to do the networking tasks from the Firefox process.
Soon enough the worm can get a plug-in to gain local root using a local exploit. Now that it has root, it can make sure that it installs a setuid binary similar to
sudo to allow root access when the vulnerability is fixed. This will allow the worm to continue to get root from any account, and possibly to connect to the attacker and give him a root shell.
This is how local exploit can be turned into a remote exploit. It only requires an existing remote exploit. This does not have to be a software vulnerability; simply riding with a trojan horse through e-mail or Web downloads is a common way for worms to spread using social engineering, which can be thought of as an exploit in the user himself.
Many worms today have demonstrated not only social engineering tactics, but combined remote exploit tactics. Worms which use multiple exploits or combined tactics, such as worms deployed through an MP3 or PNG image that infect other MP3s or JPEGs sparsely, and swap themselves via e-mail or simply by riding with the media in a file-swapping program, are becoming more prevalent. Because this won't normally gain root access, local exploits become very valuable to an attacker, even on a single user system.