Can a TIFF have executable code in it?

I know, it sounds like a strange question, but I have strange symptoms.
I created a bunch of TIFF files using the program “CloudCompare.” I have my computer set up so that the default app for TIFF files is Photoshop, and the default app for JPEGs is Preview. I had no problem dragging the TIFF files onto Preview to open them (better UI for the task at hand).
But then I decided to use the Finder “Get Info” dialog to change the default app for these TIFFs, and these TIFFs alone, to Preview.
After that I got the error message:

I Control-clicked on the file and chose “Open” from the drop-down menu, and I got the message

Why would macOS think that a TIFF file is an app?

I downloaded CloudCompare and tried the Render to File option without doing anything else. I tried .tif and .bmp, both files had the quarantine attribute. Opening them in, the default, works without problem; if I use Get Info to change either file to use anything else (Photoshop, Pixelmator, even QuickTime Player), I get the same warnings as you (in case it matters, I’m using an admin account on macOS 14.3.1).

This seems like a macOS bug but it wouldn’t happen if CloudCompare didn’t add the attribute in the first place.

According to Quarantine and the quarantine flag, setting the flag is up to the application, I don’t know why they’re choosing to set it.

1 Like

The Quarantine flag is intended for apps to apply to content downloaded from the Internet. The idea is to make sure you really intend to open something you download.

I agree that it would be very strange for an app to apply it to files created locally. Assuming they are created locally. Could it be that CloudCompare is using an Internet/cloud service to do its heavy lifting, downloading the result? If so, then the flag might make sense.

That having been said, after doing a bit of web searching, I did run across CVE vulnerabilities in LibTIFF and other related libraries where a malicious document could theoretically run arbitrary code. But all the articles were many years old so I’m sure Apple already patched any vulnerability that they might have had at the time.

Finally, TIFFs (like many other modern media formats) is a container-type format. It may contain data in a wide variety of different formats, even though uncompressed/lossless-compressed bitmap data is the most common format used. I assume it can contain script-like image formats (e.g. PostScript, PDF, Windows Metafiles, etc.), which could be a thought of as executable.

So yes, a TIFF could in theory have executable code in it, but I don’t think there’s a practical danger at this time, and this particular situation does sound like a bug in the app that’s creating the files.


Thank you Curtis and David. Now I sort-of understand the issue. Why the quarantine attribute comes out only when I change the default app makes no sense to me at all, nor do I understand why Apple says the file “may be an app.” Those seem to me to be bugs in Apple’s code and/or user interface. CloudCompare is not terribly well ported to macOS, I think it was a Windows program originally.

Again, thanks for the insight. That’s what I come to this discussion group for.

So, I talked to 2° level support at Apple, trying to convince them that this was a bug, and I failed.

The advisor reminded me that after double clicking the file and getting the “cannot be opened because it is from an unidentified developer” message I can go to System Preferences:Privacy & Security and find the “ was blocked from use because it is not from an identified developer” message and then click “Open Anyway.” For 30 or 40 files this would be even more onerous than right clicking and choosing “Open” for each one.

I pointed out to my support person the following which I wanted to bring to the attention of Apple:

  1. The quarantine is not effective if I can drag the file onto an app (in the Dock) and it will open anyway
  2. The quarantine is not effective if I can double click the file and have it open in its default app
  3. There is no reason why changing the default app of a document should trigger the warning
  4. The warning on double clicking tells me that the TIFF file is an app
  5. The warning on right clicking and choosing “Open” tells me that the TIFF file may be an app

And he responded that Apple is not responsible for the TIFF format, and so they cannot fix the problem.

I guess I probably should file a bug report with Apple, maybe somebody there will be listening. (And suggest to the developer of CloudCompare that setting the quarantine flag is not a good idea).


1 Like

I’d suggest filing a bug report, but not with Apple. The developer needs to own this because it’s files generated by their application that’s causing the problem. If they need to, they can deal with Apple not you.


I’m not so sure it is the developer’s fault. I have this issue when I change PDF files to be opened by Skim.

  1. Download PDF from the web using Safari.
  2. PDF opens fine in Preview with a double-click.
  3. Get Info on the PDF and change the ‘Open With’ option to Skim.
  4. Double-click the PDF and I get the warning: “Filename.pdf” cannot be opened because it is from an unidentified developer. macOS cannot verify that this app is free from malware.

If I change the ‘Open With’ back to Preview it will again open without issue.

It’s highly annoying behaviour, but I think the only one to blame is Apple. Skim hasn’t touched the file. MacOS seems to be happy to open PDFs in Preview without warning, but if you use a different (non-default?) PDF viewer the world might end.

I imagine something similar is happening with the @alanterra’s TIFF files. I doubt it is the fault of CloudCompare. Maybe MacOS throws up the warning for certain file types if the ‘Open With’ has been changed to something other than the default? @alanterra one thing you could try (not to solve the problem, but to better understand it) is to change the default app for TIFFs to Preview. Then see if the behaviour is reversed: will Preview open them without complaint but if you change an individual file to open in Photoshop you get the warning?

But this makes perfect sense - downloaded content should have the quanrantine flag. The real questions here are:

  • Why doesn’t Preview also warn you? It could also have bugs exploitable by a malicious document.
  • Why is CloudCompare adding the quarantine flag to locally-generated documents?
1 Like