Fragen? Antworten! Siehe auch: Alternativlos
I disagree. Saying you can either crash or get owned is a false dilemma.
Crashing instead of getting owned does not help the customer, because he can still lose his data. He won't get a worm (unless you missed some other wormable issue), but still, that's just reducing the severity from "critical" to "moderate". It's still a bug. The customer still wants it fixed. The only one who has an actual advantage of this is you, because you only have to answer for a DoS, not a worm.
So my point of view is: crashing if you detect an error is a cop out, an ass covering mechanism big companies like to use, because it's easier to crash than to implement error handling.
Similar issue: using try/except to catch AVs and then pop up a window saying "uh, that Word file smelled funny". That is not error handling, that is ass covering.
Security is never simple. Security is work. Yes, you will actually have to do something to make your code more secure. Just adding a try/except or SafeInt band-aid does not make the product more secure, it's just ass covering. Why am I paying $500 for a piece of software that does not even really try to be secure but just applies some ass covering filter?
I'm not just ranting about Windows here, btw. Linux has limited the size_t arguments to read() and write() to below 2 gigs, because some crappy kernel code might use signed ints for lengths, and then it would blow up. O RLY? That's not security, that's just ass covering. And coming from the GNU people who used to distinguish their software from other Unix software by removing arbitrary limits.
This attitude is pervasive in the software industry, and I hate it. Also because you will do the work twice. First you will apply a band-aid, then someone will find a way around your band-aid, or someone will notice that a crash during trying to save a document can destroy data and is just as bad for the customer, and you will have to fix it again, this time for real.