Well, it looks like there are. I've had users downloading the update-file from my computer. What if I had changed my local version to be a trojan + xolox. The user would not have noticed, unless xolox automatically contacts xolox.nl to check for md5 checksums or so. Does ist???
I've switched off the autoupdate feature and download updates manually