So, in other words, the user has to be a complete moron in order for this attack to work. I know there are still a small percentage of people out there that still click on every email link they get, but I would hope that phishing is a dying art and not much would ever come of this. I know that most of the people I supported would not be this amazingly stupid, nor would many in the entire company. Again, this sort of email attack vector is drilled into the heads of office workers everywhere as something to NOT fall for. The firmware vulnerabilities still need to be addressed, though ongoing training and social engineering will mitigate the possible threat a great deal.
The gullibility of users aside, that is not the bigger threat from such a worm. Sure, you could infect machines in this manner but right now the usual OS specific attacks are easier and more lucrative. However, if yo want to infect a specific target, especially one that is not connected to the broader internet or where you want to infect them and keep the infection unused and unnoticed until the target connects to the desired network, such a tool is useful, a TFA points out. It's of great use to spy agencies, because you can infect machines without intruding onto the network externally, by introducing infected peripherals or through other vectors such as custom agents who "check" a laptop upon entry. The target may then wipe and reformat their HD but you've already compromise deter machine in a way they can't easily detect or fix. Pass out infected USB sticks at trade shows in hopes of hitting the target. Hell, leave one in the parking lot and hope whoever finds it sticks it into their laptop.