"The same applies to MS Windows Update "
Well, they would need to get both an SSL certificate and a code-signing cert that match Microsoft's public keys for both (the expected public key is shipped with Windows, and any updates to those keys are signed by the one before it).
It can be done, but it would take a really sophisticated attack campaign or the backing of a very powerful government. Of course while their is a guarantee that it hasn't been tampered with, there is no guarantee to the quality of the code itself...