Read this just now in Slashdot: Mac OS X Root Escalation Through AppleScript. Basically, if a bad guy has physical access to your machine, he can also get root access with this line in the terminal (without a password):
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'All the more reason not to leave your machine logged in when you leave it. It does work!
It seems that if someone had physical access to your machine, they could wreak many shades of havoc with AS, even without Root, as most users are probably logged in with Admin privileges. Checking all the options in the Security pane is a prudent step, as is keeping strangers away from your equipment.
I’m going to agree with Marc on this. Physical security is as important as strong passwords, firewalls, etc… If someone has physical access there are numerous ways they can obtain root privileges… or just walk away with the HD =) This is the reason for locks on datacenter doors LOL