A pair of installation-related problems involving the new release of Microsoft's Office 2008 for the Macintosh won't cause damage to your data or prevent the productivity suite from running. But the issues, discovered by a user, pose potential security and administrative headaches. Microsoft is vowing fixes for both.
Issue No. 1: UID 502
Office 2008's installation problems first came to light thanks to Mac user Joel Bruner, who noted both issues in posts on his blog earlier this week. The first issue relates to file ownership, and requires some basic understanding of user accounts and installations in Mac OS X.
Every user account on your Mac has an associated user ID number (UID); Mac OS X uses these UIDs, rather than account names, to track which users have what access to various files and actions. When you initially set up your Mac, the first user account created is given UID 501 and has administrative access. The second account created gets UID 502 and whatever account status--admin, standard, or managed--the administrator gives the the account. The third user gets UID 503, and so on.
Normally, when you install software using Apple's Installer utility, each installed file is owned by either the system, by a specific user account as determined by the developer and laid out in the installation package, or by the user account performing the installation.
However, as Bruner pointed out in one blog entry, the Office 2008 installation doesn't do any of these things. Instead, the installation package installs almost all of its files--and their enclosing folders--with the owner set to user ID 502. This occurs regardless of which user account runs the installer, and regardless of the administrative status of UID 502.
If UID 502 is an administrative account on your Mac, this may not be an issue, as you've presumably given that account admin status for a reason. However, if you set up the second account on your Mac without administrative privileges, that account will still end up with free reign over all of Office's components, and thus the ability to delete or alter /Library/Fonts/Microsoft, /Library/Application Support/Microsoft, and /Applications/Microsoft Office 2008, as well as the contents of these folders. (The installation for the Special Media Edition of Office 2008 also creates the folder /Library/Automator if it didn't already exist, and gives UID 502 ownership of that folder, as well.) For instance, the user could replace a legitimate file with something else and even make that file executable (see below).
Similarly, if you've set up the second account on your Mac as a non-admin account for your own everyday use--ostensibly to prevent yourself from accidentally screwing things up--this "safety" account will have the power to delete or otherwise alter the Office 2008 installation.
Many users won't notice this situation, but it potentially poses a security issue, as it could provide a non-admin user the ability to modify files that would normally be accessible only to administrators.
Note that UID 502 will be set as the owner of Office 2008 files even if you've never created a second user account on your Mac--meaning your Office files will be owned by a user that doesn't exist. This is actually a preferable scenario, as a user that doesn't exist can't modify files.
Issue No. 2: Execute!
Bruner also discovered a second problem: Every file in the Office 2008 installation is executable. This means, speaking generally, that files--even things such as clip art and help files--are seen by OS X as "programs" and, if a particular file has executable code, can be run.
This problem should not affect normal use of Office 2008, but security experts generally frown upon the idea of thousands of unnecessarily-executable support files sitting on a drive. Such a situation isn't necessarily dangerous, but it opens up avenues for possible security exploits.
For example, if a security vulnerability were to be discovered in one of the more than 42,000 files installed by Office 2008, such a vulnerability could be easier to exploit if the file is executable. The only Office 2008 files that actually need to be executable are the actual programs, as well as folders.
Ad Choices