McAfee’s SiteAdvisor security add-on for Firefox could be blocked if the memory leak issues are not addressed. The current recommendation in Mozilla’s bug tracking system is to blacklist the application completely.
After a comment from a reader on his blog, Mozilla engineer Nicholas Nethercote did some testing and determined that SiteAdvisor is an “extremely annoying and unhelpful add-on.”
After his testing, he opened a report on Mozilla’s bug tracker system, recommending that the add-on be blocked by the browser. Should the latest version of SiteAdvisor be blacklisted, it will join previous SiteAdvisor versions that are blocked, as well as McAfee’s ScriptScan.
“This is the worst imaginable behaviour for an add-on in terms of memory consumption. It wouldn't surprise me if many earlier versions of SiteAdvisor also did the same thing,” Nethercote said in his ticket.
Others supported the move to block the add-on, while some stated it should be a last resort action. Agreeing with Nethercote’s assessment, Justin Lebar, a programmer with Mozilla, stated simply:
“If we would never release a version of Firefox which we were aware had this bug, how can we justify letting this bug persist on users' machines for even one day longer than it has to?”
The main argument for blocking the latest SiteAdvisor release, and all of the others, is that even if McAfee addressed the memory and performance issues, the older versions being used by other people will still contain them. Given that people tend to ignore new versions of software for the most part – unless they are forced to upgrade – a simple patch would do little.
Jorge Villalobos, the developer relations lead for Mozilla, addressed the blocking suggestion with a wait-and-see approach. Soft-blocking the earlier versions of SiteAdvisor could be done, but only after McAfee has had enough time to fix the issues. However, the memory and performance issues as they are “don’t even come close” to being severe enough to block McAfee outright.
“It is very popular, all the more reason to not make rushed decisions and cause anger and confusion in (possibly) millions of users. What evidence is there that this is causing a bad experience to the significant portion of users that have this add-on installed? It's very likely that this bug has been present in that product for years, so why is there an urgency to fix this overnight by blocklisting? Why would we want to damage our relationship with McAfee by shooting first and asking later?” asked Villalobos.
At this point, nothing has been decided. McAfee’s SiteAdvisor has value for those who need that extra layer of Web protection, but the concern is that the added layer comes with too high a cost.
For their part, McAfee said they are aware of the issue, and have patched the bug.
“McAfee is aware of a memory leak associated with SiteAdvisor 3.4.1 affecting some Firefox 10 users, resulting in a potentially slower than normal browsing experience. No data is at risk. The issue has been isolated and resolved, and fix deployment is targeted for the middle of next week.”