Basically, the permissions are granted in a very old Android version, then "grandfathered" into the updated one(if the device ever gets updated).This is useless, mainly because devices that are still on 2.3 will NEVER see any updates. Ever. Also, it is useless because nobody makes devices that run 2.3 anymore, and the exploit is a few years too late.Finally, because the fault lies with the way 2.3 was dealing with unknown permissions. This whole thing is nothing more than some scare tactics targeting a 4 year old OS (not mentioned in the title, though) and lists it as something very actual, when in fact is completely outdated. Great journalism, indeed.
You guys all read the article and then got stop on the one example that they gave. Remember it's just an example. The flaw is still present in the newest versions as well. So if you update from 4.3 to 4.4 and the new version/update has additional permission options then apps can take malicious advantage of that as well. However, this will probably never get to be a huge deal, but it could just the same.