It’s been over a month since the Mac Rootpipe vulnerability hype was in the news headlines, and nothing has changed since my “Rootpipe need to know” 4/20/15 blog post.
The current situation is that although Apple claimed to have included a Rootpipe patch in the OS X 10.10.3 update, it’s been proven that the vulnerability still exists with OS X 10.10.3, meaning no version of OS X offers protection. https://objective-see.com/blog.html
Apple has yet to comment if they will be patching Rootpipe again, or if they’ll be releasing patches for older versions of OS X. Earlier this month they released Safari security updates for OS X 10.8, 10.9, and 10.10… so the jury is still completely out.
No threat has surfaced to date. Even if Apple does nothing, it’s quite possible we’ll never see malware exploiting Rootpipe “in the wild” due to other inherit security aspects of OS X, specifically: Gatekeeper, sandboxing, and XProtect. The actual risk may have been exaggerated by the hackers who created all the hype.