To pull it off, they'd first need to get root OS X root access via a malicious website, email attack or other vector. After a carefully designed program is planted, it could wait for the Mac to sleep (or force it to sleep), then flash the firmware when it wakens. Once inside, the malicious "rootkit" would be difficult to detect and delete compared to regular malware, surviving even re-installs or formatting. Though tricky to use on a large scale, the exploit could be used by attackers to gain "epic ownage" on individual targets, as Vilaca put it.
You could probably... trigger this, all remotely. That's pretty epic ownage.
Vilaca updated his original post to point out that the vulnerability's seriousness, saying it "appears to be an effective zero-day" problem. He confirmed that the bug works on a MacBook Pro Retina, MacBoook Pro 8.2 and a MacBook Air, with all models running the latest BIOS software. However, machines newer than about a year old appear to be immune to it -- possibly because Apple already knows about the issue and patched it, according to Vilaca. Also, even though the exploit is now out there, it would be trickier for attackers to implement than something like Heartbleed. Vilaca doesn't consider the disclosure irresponsible, saying that "the goal is to pressure them to fix their firmware." We've reached out to Apple for comment on the matter.