Does Mail.app attempt to display inline images by default, rather than as attachments? If so, the rather troubling result is that the script may well automatically execute simply by opening a malicious email. Considering how much havoc was caused by Outlook executing whatever script happened to land in the inbox, I'm sure we can imagine the potential for trouble here...
Well, I'm not a Mac user, so I can't really test this, but one would think that it shouldn't be able to work this way, as a file has to be marked as executable (i.e., chmod 755) in order to run. Images don't need to have the executable bit set to display, so I question whether this tidbit is true. /. is not the best place to get accurate information, but can often point you to a place to look :-)