1) CVE-2013-2566 has only just had its CVSS v2 Base Score raised to 4.3 with a revised exploitability Subscore of 8.6: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
This means that PCI compliant organisations cannot use the cipher as approved scan vendors will fail you if you have any vulnerabilities with a CVSS score >= 4.0
2) As others have said, the RFC now has a number, 7465 and it's in the final stages before standardisation: https://tools.ietf.org/html/rfc7465
3) The reason that we have such a problem today with RC4 is because many organisations enabled-and-prioritised cipher suites that use the cipher because of the BEAST attack.
BEAST was a client vulnerability that affected CBC with TLS 1.0 but not RC4, a stream cipher. By making RC4-based cipher suites prioritised at the server end, you could cajole most clients in to using it mitigating BEAST.
However, all major Web browsers have implemented 1/n-1 record splitting that resolves BEAST.
Some security scanners/auditors erroneously continue to flag this as an issue therefore.
4) We’re still also waiting for the details of:
https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-attack-breaking-ssl-with-13-year-old-rc4-weakness
This is likely to be a bigger break than the one mentioned in the article.
Biting the hand that feeds IT
