The most frustrating part of IT work is that you can’t fix every problem you find. That’s certainly the case with the retail version of Office 2008 that shipped last Tuesday. The installer is fraught with serious permissions issues, and currently the best solution is to wait for a fix from Microsoft before deployment.

The good news is, the Office 2008 installer utilizes Apple’s .pkg format, allowing for customization and deployment through Remote Desktop. The bad news is that the packages carry the wrong UID for installation, the UNIX identifier that determines ownership of files. In this case, that UID is 502, a user that may or may not be an administrator in business environments and likely doesn’t exist on single-user systems. This presents a significant management issue, allowing an unprivileged account to accidentally delete Office 2008 on multi-user systems.

Worse still, the Office 2008 files are all set as executable, meaning that they can be run as scripts. This isn’t just the applications, but the support files as well, such as templates, graphics, and documentation. The combination of these two errors could allow a malicious user to get around existing security policies.

There’s no guarantee that the same issues will be present in the corporate edition of Office shipping February 1st, and it’s more than likely that Microsoft will release a new installer or an update that remedies the problems. So if at all possible, the best approach is not to install the newest version of Office until these issues are resolved.

Update: On January 25th, Microsoft published some of these details in their “Office For Mac” weblog. On March 14th, they followed suit with the Office 2008 12.0.1 Update, addressing this and other bugs in the initial release.

Recommended Reading: This issue was first confirmed by Joel Bruner in his blog posts “Office 2008, 502, and you” and “Office 2008 for the executive”, and publicized by John Gruber at Daring Fireball. The Microsoft Business Unit published its response in their blog entry “Security issue in Mac Office 2008 Installer”.