Don't forget secret option

h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).