The problem started with IBM itself. IBM security researchers found the flaw back in September, and reported it to the Android Security Team at Google. Somehow, although IBM found the flaw nine months ago, the company mistakenly thought that the flaw affected all Android versions up to 4.3, but that wasn't accurate (although it has been reported that way from various outlets). In fact, the flaw only affects Android 4.3 and doesn't cause problems with any versions before or after. So, the flaw is only a problem for about 10% of the ecosystem.
The security flaw itself is a relatively dangerous one, which could allow malicious hackers to gain access to the Android KeyStore and uncover user banking and virtual private network credentials, PINs, and unlock patterns. That sounds pretty bad, but it turns out that there are fail-safes built into Android, like data execution prevention and address space layout randomization, which make exploiting the flaw very difficult. And, a hacker would also have to get a helper app installed on the target device in order to fully exploit the flaw. Of course, any flaw in the KeyStore is a serious matter; so, if you're stuck on 4.3, you should start bugging your manufacturer to update. And, as usual, be careful about side-loading apps because that's your best defense.