Apple QuickTime contains a stack buffer overflow vulnerability in the way it handles the RTSP Content-Type header. This vulnerability may be exploited by specially crafted RTSP stream protocol

Live Example

• GNUcitizen- Backdooring QuickTime Movies
• Apple QuickTime redirection to the RTSP exploit

Elia Florio (Symantec) wrap a good introduction post regarding QuickTime 0 day Exploit.

Known Vulnerabilities Proof of concept (milw0rm).

• Apple QuickTime 7.3 RTSP Response Content-Type Header Stack Buffer Overflow exploit
• Apple QuickTime Remote stack rewrite exploit for Internet Explorer 6 & 7
• Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
• Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit

Workarounds

You may try the following workarounds, as there is no complete patch for this this vulnerability.

• Block TCP port 554 (optionaly 7070) and UDP 6970 through 6999 in your firewall
• Update Quicktime
• Disabled Apple Quicktime ActiveX control running in Internet Explorer (Windows registry file)
• For Firefox - Noscripts addons

Related Links

• RTSP - rfc2326 & RTP - rfc1889
• Apple Security Update on Safari 3 Beta Update 3.0.4
• NVD Database - Buffer overflow in Apple QuickTime
• Microsoft KB240797 - How to stop an ActiveX control from running in Internet Explorer

What is Adobe Version Cue (Bonjour)

Bonjour is a file management tool that is integrated in Adobe Photoshop, Adobe InDesign, Adobe Acrobat, Adobe Illustrator and other creative applications within the Creative Suite. It is client/server based. The clients are integrated into each of the applications and they all communicate with the Version Cue Server.

To make setup and configuration easier, Adobe uses Apple’s Bonjour technology to enable the connectivity to Version Cue servers on a local area network. Bonjour is widely used throughout Mac OS X and Windows in applications like iTunes and popular printers to allow users to set up a network service without any configuration.

As adobe install this programs without your permission, running in the background silently and there is no options to disabled it!. You should consider adobe version cue as a pestware and should be remove immediately.

There is four methods to removed bonjour services aka Adobe Version Cue CS3 Component.

1)  Manual removal

• Stop Bonjour service RUN > sc stop “bonjour service”
• Remove Bonjour services from windows startup RUN> sc delete “bonjour service”
• Disable the Bonjour socket driver:
  RUN > Regedit:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
  Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

  find key:
  Enabled=REG_DWORD:00000001 change it from 1 to 0.

• Reboot, the driver will not be loaded any more.
• Delete the Bonjour directory (with the files mDNSResponder.exe and mdnsNSP.dll).

2)  Apple Bonjour Official Uninstaller

Download Apple Bonjour for Windows and run the bonjour uninstaller.

3)  Optional Methods

Third methods will disabled bonjour services from running in the background. You’ll need to removed bonjour manually.
RUN > C:\Program Files\Bonjour\mDNSResponder.exe -remove

4)  Third party Uninstaller

• This is the prefer methods, as it wont affect others shared programs that depend on bonjour (ie: itunes, quicktime). Read on lifehacker for more info about Revo Uninstaller. Its free.
• Download and Installed Revo uninstaller.
• Start Revo uninstaller and wait till it finished populating the lists with all your applications and its components.
• Find and select Adobe Version Cue CS3. Click the Uninstall Icon to proceed. Select the “Moderate” options.
• After the first & second step is done (dont click finish yet), proceed with removing all bonjour registry.

You can used Revo Uninstaller to removed others “hidden” installed components package with Adobe CS3.

Related info

Software registry keys

Adobe Version Cue CS3 Client

MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

External Links

• Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software
• WXPNews: Who Owns That File Format?