So do they have any suggestions of what M$ should do?
Whatever Microsoft deos, there is going to be the previous version to compare with the new version. i doubt that obfustication will work, it is just a variant of security by obscurity. Since the code still has to generate actual instructions, there will be something to compare with no matter what they do.
Perhaps microsoft needs to look at the code being generated by the Black Hats and find ways to reverse-engineer what the exploiters are doing. I wouldn't surprised that they are already doing this. They could then litter the patches with some chaff designed to look like changes to the malicious code bots. But I don't think it would take very long before the code bots were redesigned to detect the fake changes and only focus on real ones.
These researchers have found something all right, but it would be more useful if they actually have found some way to prevent this kind of pactch code comparison being done. Somehow I think that Microsoft is probably already aware of this/