UL MCV 1376:2019-06 Methodology for Marketing Claim Verification: Security Capabilities Verified to level Bronze/ Silver/Gold/Platinum/Diamond. Software updates must be supported, using network or wireless interfaces where available Description I guidance: No matter how well software is designed or tested, there will always be bugs and vulnerabilities that are missed. This is just a fact of software development and the sheer complexity of any body of code. So, the update of the software must be allowed in any device to ensure that it can be patched when any such bugs are found. It is an additional requirement that the software update must be able to be performed across a wireless or network interface, should the device provide such an interface. This increases the ease of use for the customer, removing disincentives to install updates. Security of the wireless and/or network interfaces is of course also important, and this is covered in later requirements. This requirement ensures that such updates are possible, minimizing the risk that devices become permanently vulnerable through new attack methods that are discovered after the initial evaluation I shipping of the device. Checking for malicious changes to the software update is not covered under this requirement, and is instead addressed in a later requirement. Automatic software updates must be enabled by default Description 1 guidance: Although software must be maintained to ensure on-going patching of security vulnerabilities, it is reasonable to expect that customers may not always know about the latest vulnerability in a device. Therefore it is important that automatic updates are implemented to update the software in a device, so that customers do not become a blocking factor in patching a high risk vulnerability. It is expected that device vendors will need to consider business / operational logic of the device when implementing such updates, so that a system does not reset during operation, but such business logic is considered outside of the scope of this assessment. It is important to note that although this requirement outlines the need for automatic updates to be supported. it does not mandate when and how such updates are provided, and device vendors may choose to deploy only high risk patches through such mechanisms. In all cases, vulnerabilities rated to CVSS 7 or higher must be patched within 1 month, those rated between CVSS 4 to 7 must be patched within 3 months, and vulnerabilities rated to less than 4...
Download Address
Download