In my post about Printf Tricks a couple of years ago, I mentioned that "%n is dangerous and disabled by default in Visual Studio 2005."
I got email today from someone who was porting a large codebase to VS 2005. He was getting an assert from %n and he needed a way to get past it. He intends to fix the uses of %n when he has a chance.
I spent several minutes digging around in MSDN and came up with set_printf_count_output. Wikipedia’s Format string attack page led me to Exploiting Format String Vulnerabilities, which describes in detail how %n (and %s) may be exploited.
In short, if you have printf(unvalidated_user_input), instead of printf("%s", unvalidated_user_input), then placing %n into unvalidated_user_input can lead to printf writing arbitrary data into memory.