The vulnerability which affects AndroidOS 4.3 com.android.settings, enables any rouge app at any time to remove all existing device locks activated by a user. Curesec an IT Security company based in Berlin disclosed this vulnerability as Google Android Security Team was not responding any more about this issue.
Read more here – https://cureblog.de/2013/11/cve-2013-6271-remove-device-locks-from-android-phone/