Energizer has discontinued the sale of its Duo Charger/USB Charger due to a vulnerability
in the Windows-based software that was supposed to be downloaded to support it.
The devices allowed users to charge nickel metal hydride batteries from either a wall socket or a USB
connection. The documentation with the charger suggested users download
software from www.energizer.com/usbcharger (the page has since been
taken down). The software allowed the user to view the charging status
from a computer.
A code was inserted in the software - Windows
version only - that contained a backdoor allowing unauthorized remote
removing the software won't completely remove the vulnerability,
either. A file, Arucer.dll, may be left behind and can be found in the
Windows system32 directory. The CERT Coordination Center said the file
won't be executable once the software is removed, but suggested
removing the file anyway.
Windows XP SP2 and later systems have
a firewall that would alert the user the first time the software is
used that the app was requesting permission to run. If the user did not
grant permission for Arucer.dll to run, the system would have remained
safe from the vulnerability.
The CERT warning
gave directions on how to block or restrict network access, as well.