hmmm....

theoretically, if the attacking computer is local on the network, i could see how it might be possible to point you at a different dns, gateway, etc. such that you'd be on one end of a man-in-the-middle situation.

this isn't so much a result of the release of a dhcp lease, but rather the continuation of handling for ethernet frames - and the process through re-establishing tcp/ip connectivity from a "trusted" source through a broadcast mechanism.

i'll have to put some more thought into it - but windows dhcp clients have had a history of being prone to suggestion; so it might come down to a pre-existing patch.