[continuing on windows/microsoft update:]
of course, the installer file for each update is itself executable code that you either have to trust or pick apart and
inspect with a de-archiver (not really practical unless you have enormous time and patience).
as for wga (license checking), very few updates require it--none of the security or basic bugfix ones. however, some of the ones that do (all indicated as such on the download pages) can be desirable, such as updates to daylight savings time zones and some enhancements/upgrades.
microsoft provides the so-called alternate verification method for use with firefox. about the best you can do with that is download the standalone utility they provide and run it separately, with no browser running.
(the idea of proxifying or torifying that--ha ha, tell me how it goes for you).
it will transmit some blob of your system configuration & install key data to microsoft and hopefully output a time-limited key that you can then paste into the download pages.
so yes, here again you have to trust arbitrary microsoft code. but, that's what you're doing anyway when you use windows.
compare all of the above to, say, debian, where apt or aptitude can use a http proxy (or just automatically communicate via a system-wide transparent tor proxy, if you've gone through the work of setting that up); there is no license key or verification; and you can inspect all the installer code and update scripts if you wish (though of course that would be tedious as well).
so, even if your software is free, you pay for security--with your time.