Microsoft has this week patched the "JASbug critical" vulnerability (MS15-011) which can allow remote code execution by granting attackers administrator level privileges. The attacker has to trick a user to connect their client machine to the attacker’s malicious domain, so is aimed at the Enterprise.
But as would require Microsoft to re-engineer core components of Server 2003 it WILL NEVER BE PATCHED for this OS.
Given most Enterprise customers are planning to pay Microsoft for on-going security patches after the end of life date in July 2015, as most did with XP, this is very worrying in my view as there will clearly be heightened risk! Also as with XP most of the third party software running on legacy 2003 servers is past it's sell by date and not patched either.
I am amazed that a lot of Financial organisations are not more aggressively addressing this issue by migrating to newer platforms, instead of continuing to run applications / systems that are increasingly vulnerable to would be attackers!