First, let's try to understand what this whole DDE-IPC is is all about:
As Tr0y put it in his document (zabypass PoC), the idea is to use APIs like CreateProcess, ShellExecute, WinExec etc… in order to run a script (HTTP request in our case) that is later interpreted by a Trusted Host program (iexplorer.exe or other trusted browser in our case).
In the described demo, the program uses the trusted browser in order to send data to some remote site.
An important thing to understand is what information is really available to a program running inside the BZ: basically, all the information that is WITHIN the BZ is accessible (by design) and hence can be sent directly to a remote site without using any special tricks (the BZ do not block internet access by default).
So assuming the Trojan is running inside the BZ, it shouldn't be able to collect data OUT of the BZ.
Now you might ask "what if a Trojan will create a malicious script and call a trusted host to execute it?"
Well, good question
In this case, the AntiMalware program includes a "Contamination" and "Process inheritance" mechanisms: whenever an un-trusted script is ran, the host is first moved to the BZ (temporarily if the Host is trusted) and only then the script is executed. Similar thing happens in creating new processes: the new process is created directly inside the BZ.
For example, you may try the following script example:
Set WshShell = CreateObject("Wscript.Shell")
Create a .vbs file that contains the above lines, put it in BZ and run it. You'll notice that even if your default browser is trusted, it will be opened inside the BufferZone (If you get prompt when you run the script, select "execute in BufferZone").
The zabypass demo is no difference:
1. The information it sends is originate from inside the BZ (which is OK)
2. It "contaminates" the default browser.
The fact that you see the page with the sent information is OK (since this information was collected from inside the BZ).
In order to break the BufferZone security your Trojan will have to either:
1. Collect data from OUT of the BZ (bypassing BZ access restrictions).
2. Open the browser (or any other application) OUT of the BZ (bypassing the contamination mechanism).
Keep up thinking about it