XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket..
Luckily, it’s easy to disable it. Just add this to a plugin:
add_filter( 'xmlrpc_enabled', '__return_false' );
I’ve added that to my security checklist for new installations, and updated my installation skeleton to include it. I’d recommend doing the same if you don’t plan on using it and are concerned about security.