The first vulnerability has apparently not been addressed yet, which Ormandy mentions may be the result of Mozilla needing time to review the updated extension before pushing it to users. Based on his tweet, it could reveal a user's password, but not all of the details have been revealed yet.

The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon. — LastPass (@LastPass) March 21, 2017 We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix. — LastPass (@LastPass) March 22, 2017

The second issue could be more serious, with the ability to steal a user's passwords or, if the binary version of the extension is installed, run any code the attacker tells it to (in an example, Ormandy causes the target's computer to open a Calculator program.) According to LastPass the issue has been resolved, although a promised follow-up blog post with more details has yet to appear.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud — Tavis Ormandy (@taviso) March 21, 2017 I deleted a widely shared tweet id written "unpatched" in, because its now patched; was confusing w/o context. Lack of foresight on my part. — Tavis Ormandy (@taviso) March 22, 2017

There's even less info available about the latest vulnerability identified (updated -- see below.)

The pace of these discoveries and the lack of information from LastPass is certainly troubling, although using a password manager to maintain unique passwords can help protect you from being hacked. We've contacted the company and will update this post with any news, however, it may be wise to disable the affected browser extensions for now. If you're suddenly looking for another service to store your important login information, Tavis (who makes a habit of poking holes in security products) suggested KeePass, a manager that doesn't use browser extensions to keep a layer of security between websites and your vault.

Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd — Tavis Ormandy (@taviso) March 20, 2017

: LastPass has responded with a blog post . Regarding the bug above that affected clients in Chrome, Firefox and Edge, the company says it applied a server-side workaround. As far as the bug for Firefox 4.1.35a, the company says this has been addressed in a new version pushed last night, so users of that browser should make sure they've updated to 4.136a.

Finally, the bug Ormandy noted in the older (and soon to be deprecated) version of the LastPass Firefox extension is fixed in a new update, so users of that version should update to 3.3.6, via the browser's built-in system.