The critical holes plugged in Firefox 8 are code execution via NoWaiverWrapper, memory corruption while profiling using Firebug, and three miscellaneous memory safety hazards. Holes rated as high include cross-origin image theft on Mac with integrated Intel GPU, cross-origin data theft using canvas and Windows D2D, and potential XSS against sites using Shift-JIS.
Mozilla blamed the Mac flaw on Apple and Intel, saying that it could let attackers steal data by monitoring a Mac's graphics processor.
"This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware, and the problem can be seen in WebGL implementations from other vendors", said Mozilla.
In addition, Firefox 8 disables add-ons installed by third parties without permission and asks the user to choose which add-ons should be enabled.
Firefox 8 adds a new master password feature for Android users. It allows users to encrypt and save their usernames and passwords for other mobile web apps in Firefox and to rely on the single master password.
Mozilla also released an update for its Thunderbird e-mail client, plugging the same vulnerabilities as in the Firefox browser.