IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
It mostly depends on the type of attack. for example, a free program like tcpdump can be used to capture all of the data sent over the wireless connection, including both traffic to or from your computer. Thus, any unencrypted internet traffic to/from your computer can be transparently viewed, either at the time or later. In the simplest case, this includes every website you visit, but if the websites don't use HTTPS, this can include passwords and usernames. Also some tools like nmap can be used to quietly scan a machine for any services you may have left open, and can then be used to attempt to break into them. In particular, remote desktop and screen sharing allow for simple visual observation of all behaviour on your machine.
On an open wireless network,Unpatched exploits are worse as an attacker can run arbitrary code on your machine. Most commonly, this will involve installing some piece of spyware, such as a keylogger to records keystrokes made on a computer.
Just to add to what Adam already said, there was an article on PCworld last year where the author checked to see what he could see by snooping over public WiFi. Short answer: A LOT! It might be worth a read if you have time.
If they're on unencrypted wifi, going to non-ssl (https) sites, then they can basically see everything you're seeing. Not even close to the movie cliches. It's more like a window with a list of clickable "caches", that would then open up to the page you went to/are currently on. This in itself isn't that threatening. They won't be able to see info you type into a page unless it's a "post" and gets saved to the website database for frontend visibility.
Ever hear of Firesheep? Made a bit of news back in 2010. Here's an article that'll give you a brief description of the type of "can of worms" Firesheep opened up, as well as its predecessor, Cookie Cadger.
The biggest threat with these programs, in my opinion, is not the program itself, but the ability to use these programs to watch someones habbits (like which websites they normally go to) for a day or two and pick a non-ssl site to set up a man-in-the-middle attack.