Is there any reputable audit of this? Beyond what Microsoft claims?
This is a difficult problem. The software could be audited by an independent third party. However each update needs to be audited as well. Furthermore the binary of the initial state and each subsequent update binary would have to be signed by the auditor in a way allowing independent verification of the signature.
