I have since had a look on the internet (although I can't recall where I first read about this).
I have found these:
"Any Windows computer that fetches updates from a WSUS server using a non-https URL is vulnerable, the researchers warned."
This suggests that Windows update servers can deliver updates which have been encrypted in a manner similar to that used in https, but they don't necessarily do this.
"Use the Secure Sockets Layer (SSL) for WSUS connections (server-to-server or server-to-client computer) on all computers that download updates through the Internet. For more information about configuring SSL,"
Again, it suggests that using encrypted update communication is optional. Also, on one of these pages I read that the encryption applies only to metadata and not to the updates themselves.
I have a minor interest in this because vulnerable applications are usually considered to be those which interact with the internet or with files downloaded such as browsers, email clients, Java and Adobe Acrobat. I wondered if downloading updates could also be a potential risk.
Edited by philfil, 20 January 2016 - 08:14 AM.