MS should bite the bullet and
- just tell all developers that they are free to look at the sources, MS will not go after them for IP theft claims or copywrong infringement
- lay out sizable bug bounty rewards for bugs discovered via src code audit
Really not all that many good options out there, this might be the best way to limit the damages securitywise. This would at least give them the reputation of owning up.