I'm for safety reasons, the update always from the particular program, or from the manufacturer's website.
it's very unlikely they are malware. they need to hijack those big companies server to serve malware from legitimate source. and that is not easy.
The best idea is to go to the creator/makers website you know is valid, most sites the offer software give dates on when a version of a product is released. If the product is released on a date you know you did not download and install the product in question, then you can just download and install it, the updates should be apart of the install.
Do note that some subscription based software such as anti-viruses do not included definition updates as a part of a default download and must be update via a connection to there server(s) which may flag a popup or a notification in some sort.