Another 0-day in the wild, it must be Tuesday.

This time it is in Apple Quicktime, and a patch is not available from Apple as of this writing. Quicktime self updates (along with an annoying offer to also install iTunes), so it should be patched widely once an update is available.

I've written an as-yet untested (YMMV) Snort signature to detect this:

alert tcp $EXTERNAL_NET $(RTSP_PORTS:-554) -> $HOME_NET any
(msg: "Apple Quicktime RTSP Content-Type overflow attempt";
flow: established,to_client; 
content: "rtsp|2F|"; nocase; depth: 5;
content: "Content-Type: "; nocase;
content:!"|0A|"; within: 50;
reference: url,www.kb.cert.org/vuls/id/659761;
reference: url,www.milw0rm.com/exploits/4657;
classtype: attempted-user;sid: 1071101; rev: 1;)

I'll post here when it's been tested. A couple of notes about this signature (did I mention it hasn't been tested?):

Some programs accept \n (0A) only, so I used 0A instead of 0D0A
It may be possible to bypass this sig with "HTTP Response Splitting"
RTSP_PORTS should be defined locally. The default RTSP port is 554/tcp.
Of course port numbers can change, so you'll want this to be whatever you are allowing outbound (in other words, HTTP_PORTS is also a good choice) e.g.
var RTSP_PORTS 554 (< Snort 2.8)
portvar RTSP_PORTS [554,$HTTP_PORTS] (Snort => 2.8)

Be careful out there.