The official statement reads that HTC has concluded "that while this HTC software does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application… So far we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
"HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it."
The company recommends all customers install the update, and to be wary of downloading apps from sources you don't trust.
The security flaw affects Android handsets, and is so dangerous someone could clone your entire phone's contents, from contacts to texts, GPS location, and more. Handsets affected are thought to be the Evo 3D, some Sensation models, and the upcoming Vigor. Android Police was said to still be looking into the flaw yesterday, but hopefully we won't have to wait long for the HTC fix.