Microsoft confirms Office for Mac 2008 snafu

Computerworld - Office for Mac 2008 incorrectly assigns ownership of some files, Microsoft Corp. has confirmed, creating a potential security problem for businesses installing the new application suite.

Joel Bruner, a Chicago-based Mac consultant, was the first to notice the ownership snafu. "[Microsoft] moved to Apple's Package Maker (.pkg) installer files, good news for the enterprise, [but] unfortunately, they've created all the packages to install most all of the files with the owner set to 502."

In a shop where employees run with limited privileges -- a practice very common in companies -- and IT is the only user with full administrative rights, Office 2008's ownership assignment means that a user who wasn't supposed to have complete control over those files actually does. In other words, whomever is assigned user ID 502 has full read/write access to Office's files.

"So let's say, Mr. IT installs this on a user's machine where the first user is the admin (501) and the standard user is Joe User (502)," said Bruner in a post to his blog on Monday. "Well, when after [everything is] installed, it will give Joe User (502) ownership of these folders and their installed contents:

/Library/Automator/ (if it doesn't exist already)
/Library/Fonts/Microsoft
/Library/Application Support/Microsoft
/Applications/Microsoft Office 2008"

The screw-up could present a corporate security problem, at least internally, said Bruner, if that Mac's second, standard user -- user 502 -- decides to make changes to the folders and files by deleting some or moving others.

A Microsoft developer left a comment on Bruner's blog, confirming that the company knows about the problem. "The [Mac Business Unit] is aware of this issue," said Erik Schwiebert, a software design lead in the group.

Microsoft, however, did not immediately respond to queries about how it intends to correct the problem, and what users can do in the meantime.

Other commenters on Bruner's blog hesitated to blame only Microsoft, however. "The truth is that this is a long-standing flaw in Apple's Installer," argued someone identified as "Not Required." "Maybe Microsoft should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn't cared enough about smaller developers to make a fix, so hopefully Microsoft has a high-enough profile that something finally gets done."

In a follow-up post also on Monday, Bruner added that all the Office for Mac 2008 files owned by user 502 are also erroneously set as executable. "Now tell me does '/Microsoft Office 2008/Read Me.html' need to be executable for you to look at it?" asked Bruner. "Tick, tick, tick, *ding*! No. It does not."