Ah, heck. I think this bug is being actively exploited, so I may as well, so you can protect yourself. Here's the post I sent to the xmlrpc list.
I'm a little hesitant to post this here as it's a publically available list, but I think I just found a security hole in xmlrpc that is being actively exploited, and as such, may as well sound the alarm.
the problem is in mw_editPost. It only validates that you can edit the post if the post_type is "post". But the post_type is exactly what you say it is, and it's easy to lie and say something is a page when it's actually a post, and edit it in the same way as a post (but while circumventing the checks). I think another routine has the same problem.
I created an ordinary subscriber with no special permissions and uploaded a special rpcxml file:
And was able to edit the post with ID 283, with nothing other than a subscriber account.
I'm turning off subscriber right now, and recommend everyone do the same or disable xmlrpc until this is fixed.