They've found another hole in drupal's xmlrpc library and they have released a new version to fix it.
My advice: rename the xmlrpc.php file to something hard to guess and make sure noone can list your directorys. You can also use mod_rewrite to limit access to the file to known ip's:
#
# Don't allow remote xmlrpc
#
RewriteCond %{REMOTE_ADDR} !^(1.2.3.4|127.0.0.1)$
RewriteRule ^/?xmlrpc.php - [L,F]
I fell victim to the last security hole and didn't update in time. Once bitten.
Peter's Moblog
