Last week virtualization.info reported that both VMware VI 3.5 and vSphere 4.0 are being tested by a Common Criteria lab to earn the EAL4+ rating.
VMware already has the EAL4+ certification for VI 3.0.2 but ESX is not they only hypervisor that was rated that high.
Microsoft in fact just announced that Hyper-V 2008 (the first release and not the just launched R2) achieved the EAL4+ certification as well.
It is worth to note that Microsoft earned that certification for the release candidate version of Hyper-V that is embedded in the full version of Windows Server 2008, plus the KB950050 hotfix, which upgrades the hypervisor to 1.0 RTM.
Microsoft didn’t even need to certify Hyper-V using editions that have a reduced attack surface, like the version that is embedded in Windows Server 2008 Server Core or the stand-alone Hyper-V Server 2008.
This should clarify how the typical argument that Hyper-V is less secure than ESX, because the former comes with a full copy of Windows while the latter has a very small footprint, doesn’t work at all. Unless we accept to dispute the absolute value of the Common Criteria rating, as virtualization.info suggested several times.