In my post about Printf Tricks a couple of years ago, I mentioned that "%n is dangerous and disabled by default in Visual Studio 2005."

I got email today from someone who was porting a large codebase to VS 2005. He was getting an assert from %n and he needed a way to get past it. He intends to fix the uses of %n when he has a chance.

I spent several minutes digging around in MSDN and came up with set_print­f_­coun­t_out­put. Wikipedia’s Format string attack page led me to Exploiting Format String Vul­ner­a­bil­i­ties, which describes in detail how %n (and %s) may be exploited.

In short, if you have printf(un­val­i­dat­ed_user_in­put), instead of printf("%s", un­val­i­dat­ed_user_in­put), then placing %n into un­val­i­dat­ed_user_in­put can lead to printf writing arbitrary data into memory.