Fake windows update

It is nearly impossible for an ordinary hacker to send you something through the Windows Update system.

What you heard is different though. It's spyware that looks like it's Windows Update and tells you to install it. If you then click install a UAC prompt pops up asking for administrative privileges. If you accept that, it can install spyware. Do note that Windows Update will NEVER require you to pass an UAC elevation test. This is not required as the Windows Update service runs as SYSTEM, which has the highest privileges. The only prompt you'll get during Windows Update installations, is approving a license agreement.

EDIT: made changes to the post because the government may be able to pull this off, but I doubt as a normal citizen, you can protect against the government anyway.

Yes, it's true.

The Flame malware attacked user via flaw in the Windows updating process. It's creators found a security hole in the Windows updating system that allowed them to fool victims into thinking that their patch with contains malware is an authentic windows update.

What could the targets of the malware do to defend themselves? Not much. Flame went years being undetected.

However Microsoft now patched the security hole that allowed Flame to hide itself as a Windows update. That means hackers have either to find a new security hole, bribe Microsoft to give them the ability to sign updates or simply steal the signing key from microsoft.

An attacker additionally has to be in a position in the network to run a man-in-the-middle attack.

That means in practice this is only an issue that you have to worry about if you think about defending against nation state attackers like the NSA.

Only ever use the Windows Update control panel to update Windows software. Never click-through on any site you cannot fully trust.

Many of the answers have correctly pointed out that a flaw in the windows update process was used by the Flame Malware, but some of the important details have been generalized.

This post on a Microsoft technet 'Security Research and Defense Blog' titled : Flame Malware collision attack explained

... by default the attacker’s certificate would not work on Windows Vista or more recent versions of Windows. They had to perform a collision attack to forge a certificate that would be valid for code signing on Windows Vista or more recent versions of Windows. On systems that pre-date Windows Vista, an attack is possible without an MD5 hash collision.

"MD5 Collision Attack" = Highly technical cryptographic wizardry - that I certainly don't pretend to understand.

When Flame was discovered and publicly disclosed by Kaspersky on May 28th 2012, researchers found that it had been operating in the wild since at least March 2010 with the code base under development from 2007. Although Flame had several other vectors of infection, bottom line is that this one vulnerability existed for a several years before being discovered and patched.

But Flame was a "Nation State" level operation, and as already pointed out - there is very little an ordinary user can do to protect themselves from three letter agencies.

Evilgrade

Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.

The project is hosted on Github. It is free and open source.

To quote the intended usage:

This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim's dns traffic)...

Translation: potentially anyone on the same (LAN) network as you or someone who can manipulate your DNS... still using the default user name and pass on your linksys router...?

Currently is has 63 different "modules" or potential software updates it attacks, with names like itunes, vmware, virtualbox, skype, notepad++, ccleaner, Teamviewer, etc etc. I should add that all of these vulns were patched by their respective vendors and none are for "current" versions, but hey - who does updates anyway...

Demonstration in this video