Microsoft Corp warned that cybercriminals have attacked users of its Office software for Windows PCs, exploiting a programing flaw that the software giant has yet to repair.

The world’s largest software maker issued the warning on Tuesday as it released patches to address nine other security holes in its software.

“Despite today’s fixes, Windows users continue to be under attack. Microsoft is taking two steps forward, while attackers are putting it one step back,” said Dave Marcus, McAfee Inc’s Avert Labs director of security research.

Cybercriminals target Microsoft programs because they are so widely used, allowing them to go after the largest number of potential victims with one set of code. (Windows runs more than 90 percent of the world’s PCs. Office has some 500 million users).

Hackers take advantage of the Office vulnerability by booby-trapping websites with malicious code that loads onto computers running Office software. Infected PCs are commandeered into a botnet, a network of hijacked computers. They are used for identity theft, spamming and other cybercrimes.

Microsoft did not say how many machines were attacked.

Users can prevent attacks by disabling functions within the Office software that allow it to work over the Web. Microsoft has posted a tool for doing that on its website — here

Office XP, 2003 and 2007 are vulnerable to the attacks.