Despite being the older and generally more insecure OS, the landscape of Windows XP isn't that much different from Windows 7, but that will change soon, as XP is nearing the end of its life: "After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates."
Of all the currently known and public vulnerabilities, only the one also affecting Windows 7 (Microsoft Windows DAO 3.6 Object Library Insecure Library Loading Vulnerability) could be seen as critical -- and only in the very rare case when a user deliberatly opens an unknown file with injected code.
There's also a mildly-critical vulnerablity, reported by Acrossecurity, that targets certain applications (specifically iTunes or Safari) in which a user could be lured into opening a file via WebDAV or a network share. Again, highly unlikely, but easily fixable with these steps from Microsoft.
Luigi Auriemma discovered a bug in DirectX 9.0x (more specifically, the DirectPlay 8 component) that can be used by malicious software to cause games to freeze and/or the server to stop responding. Good news: Only the DX9 version for Windows XP SP3 and Windows Server 2003 is affected, all other DX versions (10+11) are not.
PowerPoint 2000, 2002 and 2003
Is your office still running PowerPoint 2003 (or earlier)? Better be careful when opening files online or from any sources you don't know. When closing or saving a .PPT file, PowerPoint executes specific parts of that file. This could be used to a) crash the application or b) execute remote code. Solution: Upgrade to Office 2007 or (if that's not possible or wanted) don't open any unknown .PPT files.
Outlook 2000 and 2003
I don't want to know how many smaller offices are still running good old Outlook 2003 on their systems. This unfixed vulnerability can be exploited if the user forwards an email that includes an unclosed "<OBJECT>" tag (which in turn is followed by the malicious code).