Both links are shortened and resolve to a generic api.cld.me domain. You'd expect a fix to be hosted on the woothemes controlled domain, not a largely anonymous domain name. You'd also expect that there'd be at least a homepage mention on woothemes.com to this same URL.
Seriously, if you are a representative of woothemes.com, this approach is a major fail. you have a known website, that's where your authority and trust resides. Use it.
This just looks like someone attempting to get people to add a new backdoor to their existing wootheme powered site.
No, the update pops up within your WordPress admin panel in case you are using one of our themes. Secondary download - with the link I provided - is available because our site was hacked last week: http://www.woothemes.com/2012/04/were-alive-and-kicking/ We only use that download link temporarily to be able to provide the update to our users.
Seriously, if you are a representative of woothemes.com, this approach is a major fail. you have a known website, that's where your authority and trust resides. Use it.
This just looks like someone attempting to get people to add a new backdoor to their existing wootheme powered site.